I 


1 


.S! 


ft 


vij 

$9 


Final  Technical  Report 


Navy  Grant  N00014-85-K-0057 


Office  of  Naval  Research 


4.  Computability  Theory  for  Distributed  Systen 


ifr^m 


OTIC 

^L.E.*v«.  i'EE 

APR  0  7  19861 


DEPARTMENT  OF  COMPUTER  SCIENCES 
THE  UNIVERSITY  OF  TEXAS  AT  AUSTIN 


AUSTIN,  TEXAS  787 12 


PgTBaOTOW  STATEMENT  A 

Approved  for  puhUc  releases 
_ _ DifUibutioa  Unfimhed 


Final  Technical  Report 

Navy  Grant  N00014-85-K-0057 


Office  of  Naval  Research 


A  Computability  Theory  for  Distributed  Systems 


Principal  Investigator:  Jayadev  Misra 


Department  of  Computer  Sciences 
University  of  Texas  at  Austin 
Austin,  Texas  78713 


March  IS,  1086 


I 


PISTRIB^^ON  STATEMENT  A 

Approved  ioi  public  loleoso; 
Distribution  Unlimitod 


IPI 


Final  Report:  N00014-85-K-0057 


Summary  of  Work  Accomplished 


t.... 

\ 


The  work  propoeedijnd^'wis  grant  was  to  develop  theories  which  will  contribute 
to  the  design  and^aa^is  of  distributed  systems.  The  major  emphasis  of  the  proposed 
research  wasto'^udy  how  and  why  processes  in  a  message  passing  system  need  to  com¬ 
municate,  "^he  research  results  have  far  exceeded  our  initial  expectations:  in  the  following 
pages  we  describe  the  summary  of  the  work  performed  and  what  these  results  imply  for 
the  development  of  distributed  systems.  There  have  been  two  journal  papers  (Distributed 
Computing,  Springer- Verlag),  one  conference  paper  (Symposium  on  Principles  of  Program¬ 
ming  Languages  ’86),  and  several  technical  reports  published  under  this  grant. 


How  Processes  Learn  [4,1] 


Processes  in  distributed  systems  communicate  with  one  another  exclusively  by  sending 
and  receiving  messages.  A  process  has  access  to  its  state  but  not  to  the  states  of  other 
processes.  Many  distributed  algorithms  require  that  a  process  determine  facts  about  the 
overall  system  computation.  In  anthropomorphic  terms,  processes  “learn”  about  states 
of  other  processes  in  the  evolution  of  system  computation.  This  work  is  concerned  with 
how  processes  learn.  We  give  a  precise  characterization  of  the  TniniTnuTn  information  flow 
necessary  for  a  process  to  determine  speciflc  facts  about  the  system. 


The  central  concept  in  our  study  is  that  of  isomorphism  between  sjrstem  computa¬ 
tions  with  respect  to  a  process:  two  sirstem  computations  are  isomorphic  with  respect  to 
a  process  if  the  process  behavior  is  identical  in  both.  In  anthropomorphic  terms,  “83r8- 
tem  computations  are  isomorphic  with  respect  to  a  process,”  means  the  process  cannot 
distinguish  between  them. 


Many  correctness  arguments  about  distributed  systems  have  the  following  operational 
flavor:  “I  will  send  a  message  to  you  and  then  you  will  think  that  I  am  busy  and  so 
you  will  broadcast . . .” .  Such  operational  arguments  are  difiicult  to  understand  and  error 
prone.  The  basis  for  such  operational  arguments  is  usually  a  “process  chain” :  a  sequence 
of  message  transfers  along  a  chain  of  processes.  We  advocate  nonoperational  reasoning. 
The  basis  for  nonoperational  arguments  is  isomorphism;  we  relate  isomorphism  to  process 
chains.  Algebraic  properties  of  system  computations  under  isomorphism  provides  a  precise 
framework  for  correctness  arguments. 


It  has  been  proposed  that  a  notion  of  “knowledge”  is  useful  in  studying  distributed 
computations.  In  earlier  works,  knowledge  is  introduced  via  a  set  of  axioms.  Our  definition 
of  knowledge  is  based  on  isomorphism.  Our  model  allows  us  to  study  how  knowledge  is 
“gained”  or  “lost”.  One  of  our  key  theorems  states  that  knowledge  g^  and  knowledge  loss 
both  require  sequential  transfer  of  information:  if  process  q  does  not  know  fact  6  and  later, 
p  knows  that  q  knows  6,  then  q  must  have  communicated  with  p,  perhaps  indirectly  through 
other  processes,  between  these  two  points  in  the  computation;  conversely,  if  p  knows  that  q 
knows  6  and  later,  q  does  not  know  6  then  p  must  have  communicated  with  q  between  these 
two  points  in  the  computation.  In  the  first  case,  the  effect  of  communication  is  to  inform 


n 


Final  Report:  N00014-85-K-0057 


2 


p  of  9*8  knowledge  of  b.  Analogously,  in  the  second  case,  the  effect  of  communication  is  to 
inform  q  of  p’s  intention  of  relinquishing  its  knowledge  (that  q  knows  h).  Generalizations 
of  these  results  for  arbitrary  sequences  of  processes  are  stated  and  proved  as  corollaries  of 
a  general  theorem  on  isomorphism. 

We  use  the  results  alluded  to  in  the  last  paragraph  for  proving  lower  bounds  on  the 
number  of  messages  required  to  solve  cert^  problems.  We  show,  for  instance,  that  there 
is  no  algorithm  to  detect  termination  of  an  imderlying  computation  using  only  a  bounded 
number  of  overhead  messages. 

We  have  extended  this  work  in  [l]  to  deduce  facts  from  incomplete  information. 

Reaching  Agreement  in  Faulty  Distributed  Systems  [2,3] 

Reaching  agreement  in  a  faulty  distributed  system,  also  known  as  Byzantine  agree¬ 
ment,  has  been  a  central  problem  in  fault-tolerant  distributed  computing.  Our  interest  in 
studying  this  problem  was  to  develop  theories  and  conditions  for  fault  tolerance  in  var¬ 
ious  different  situations.  We  studied  an  important  algorithm  due  to  Fischer,  Lynch  and 
Fowler  (’‘A  Simple  and  Efficient  Byzantine  Generals  Algorithm,”  Proceedings  of  the  2nd 
Symposium  on  Reliability  in  Distributed  Software  and  Database  Systems,  July,  1982)  and 
proposed  a  proof  of  it  along  traditional  lines  of  program  proving.  This  work  has  resulted  in 
a  very  compact  version  of  this  algorithm.  Another  important  result,  again  due  to  Fischer 
and  Lynch,  shows  that  agreement  requirements  s3rnchroiqr:  in  an  asynchronous  system, 
agreement  on  a  common  value  cannot  be  reached  even  if  only  one  process  fails.  We  pro¬ 
vided  a  proof  of  this  result  using  a  set  of  simple  axioms.  Our  proof  abo  includes  a  number 
of  key  lemmas  and  clarifies  the  relationship  between  agreement  and  decision  making  by  a 
process. 

An  Abstract  Concurrent  Model  and  Its  Temporal  Logic  [5] 

{The  work  of  Professor  Pnueli  was  supported  by  this  grant} 

We  advance  the  radical  notion  that  a  computational  model  based  on  the  reals  provides 
a  more  abstract  description  of  concurrent  and  reactive  systems,  than  the  conventionaJ 
integers  based  behavioral  model  of  execution  sequences.  This  model  is  studied  in  the 
setting  of  temporal  logic,  and  we  illustrate  its  advantages  by  providing  a  fully  abstract 
temporal  semantics  for  two  simple  concurrent  languages,  and  examples  of  specification 
and  verification  of  concurrent  programs  within  the  real  temporal  logic  defined  here.  It  is 
shown  that,  by  imposing  the  crucial  condition  of  finite  variability,  we  achieve  a  balanced 
formalism  that  is  insensitive  to  Snite  stuttering,  but  can  recognize  in&nite  stuttering,  a 
distinction  which  is  essential  for  obtaining  a  fully  abstract  semantics  of  nonterminating 
processes.  Among  other  advantages,  going  into  real-based  semantics  obviates  the  need  for 
the  controversial  representation  of  concurrency  by  interleaving,  and  most  of  the  associated 
fairness  constraints. 


Final  Report:  N00014-85-K-(X)57 
Systolic  Arrays  as  Programs  [6] 


3 


Systolic  algorithms  represent  a  form  of  parallel  programming  in  which  a  number  of 
nodes  (machines)  are  interconnected  by  a  set  of  lines.  A  node  reads  from  its  input  lines 
and  writes  into  its  output  lines  on  specific  clock  pulses  and  there  are  only  a  few  kinds  of 
nodes  each  doing  different  kinds  of  processing.  Systolic  algorithms  are  typically  described 
by  pictures  of  the  interconnections  of  nodes,  descriptions  of  processing  at  each  node  in 
the  picture  and  data  movements  among  nodes  at  several  successive  steps.  A  pictorial 
representation  guarantees  that  the  algorithm  can  be  implemented  on  a  VLSI  chip  without 
wire  crossings,  for  instance.  However,  a  picture  makes  it  difficult  to  argue  about  the 
correctness  of  the  algorithm,  explore  alternate  designs  or  even  develop  an  algorithm  in  a 
systematic  manner. 

We  propose  to  view  systolic  algorithms  as  programs  and  hence,  apply  traditional  pro¬ 
gram  development  techniques,  based  on  invariants,  in  their  design.  We  carry  out  the 
developments  for  matrix  multiplication  of  band  matrices  and  L-U  decomposition  of  a  band 
matrix. 


Accesion  For  \  | 

NTiS  CRA&I 
DTIC  TAB 
Unannounced 
Justification 

□ 

□ 

By 

— 

Disfaibution/ 

Availability  Codes 

]~Avail  and /or 


Final  Report:  N0(X)14-85-K-0057 
Technical  Reports 


4 


(1)  “Learning  from  Incomplete  Information,’*  Technical  Report,  Department  of  Computer 
Sciences,  University  of  Texas,  September  1985,  (K.  Mani  Chandy  and  Jayadev  Misra). 

(2)  “Understanding  a  Byzantine  Algorithm,”  TR-85-20,  Department  of  Computer  Sci¬ 
ences,  University  of  Texas,  September  1985,  (Jayadev  Misra). 

(3)  “On  the  Non-existence  of  Robust  Commit  Protocol,”  Technical  Report,  Department 
of  Computer  Science,  University  of  Texas,  November  1985,  (K.  Mani  Chandy  and 
Jayadev  Misra). 


Publications 

(4)  “How  Processes  Learn,”  Proceedings  of  the  Fourth  Annual  ACM  Symposium  on  Prin¬ 
ciples  of  Distributed  Computing^  Minaki,  Ontario,  Canada,  August  5-7,  1985.  Also 
appeared  in  Journal  of  Distributed  Computing,  Vol.  1,  No.  1,  pp.  40-52  (Springer- 
Verlag),  (K.  Mani  Chandy  and  Jayadev  Misra). 

(5)  “A  Really  Abstract  Concurrent  Model  and  its  Temporal  Logic,”  Proceedings  of  the 
Thirteenth  Annual  ACM  SIGACT-SIGPLAN  Symposium  on  Principles  of  Program¬ 
ming  Languages,  St.  Petersburg,  Florida,  January  13-15, 1986,  pp.  173-183,  (Howard 
Barringer,  Ruurd  Kuiper  and  Amir  Pnueli). 

(6)  “Systolic  Algorithms  as  Programs,”  to  appear  in  the  special  issue  on  VLSI,  Journal  of 
Distributed  Computing,  Vol.  1,  No.  3,  (K.  Mani  Chandy  and  Jayadev  Misra). 


f 

Learning  from  Incomplete  Information 

(Extended  Abstract) 

K.  Mani  Chandy 
Jayadev  Misra 

Department  of  Computer  Sciences 
The  University  of  Texas 
Austin,  Texas  78712 
(512)471-4353 


12  September  1085 


This  work  was  supported  by  a  grant  from  the  Office  of  Naval  Research  under  grant 
number  ONR  N0(X)14-85-K-0057. 


"When  you  have  eliminated  the  impossible,  whatever  remains,  however  im¬ 
probable,  must  be  the  truth. 


Introduction 

Deduction,  according  to  Holmes,  is  based  upon:  (1)  plausibilities,  (2)  clues,  and  (3) 
elimination  of  impossibilities  given  the  clues.  Holmes  starts  his  detection  with  a  set  of 
possible  scenarios,  i.e.,  a  model  of  the  crime.  Then  he  gathers  clues  and  eliminates 
scenarios  that  are  incompatible  with  his  clues.  Our  view  of  knowledge  is  similar.  We 
start  with  a  model  (set  of  possible  scenarios),  we  make  certain  observations  of  the  sys¬ 
tem  and  thereby,  we  eliminate  scenarios  that  are  incompatible  with  the  observations.  In 
this  paper,  we  are  concerned  exclusively  with  deduction,  i.e.,  elimination  of  scenarios  in¬ 
compatible  with  observations.  We  do  not  address  the  question  of  how  the  model  is  pos¬ 
tulated  in  the  first  place,  nor  with  methods  for  making  observations. 

For  a  variety  of  reasons,  one  cannot  always  observe  everything  one  wants  to. 
Deductions  are  necessary  precisely  because  observations  are  often  incomplete.  For  ex¬ 
ample,  reasons  for  an  aircraft  crash  has  to  be  deduced  from  the  information  in  voice 
and  data  recorders,  control  tower  recordings  and  memories  of  survivors.  Software  is 
debugged  by  collecting  values  of  certain  key  variables  over  some  points  in  execution  and 
this  partial  observation  may  enable  a  programmer  to  deduce  that  the  program  has  an 
error,  i.e.,  program  behavior  is  incompatible  with  a  correct  implementation.  Fault 
detection  and  location  in  electronic  circuits  are  often  carried  out  by  observing  the  volt¬ 
age  levels  on  some  specified  lines;  it  is  usually  too  expensive  to  probe  all  lines.  A  design 
task  is  to  identify  the  lines  that  may  be  probed  and  make  those  lines  accessible.  This  is 
akin  to  deciding,  at  the  design  stage,  what  must  be  observable  to  gain  certain  kinds  of 
knowledge.  We  propose  a  model  of  computation  which  captures  the  essence  of  partial 
observations. 

Given  a  partial  observation,  all  scenarios  that  could  have  produced  that  obser¬ 
vation  are  isomorphic  with  respect  to  that  observation;  all  other  scenarios  can  be 
eliminated  from  further  consideration.  In  general,  if  more  is  observed,  more  scenarios 
can  be  eliminated  and  hence  more  knowledge  about  the  system  can  be  gained. 

We  propose  a  general  model  of  discrete  systems  in  terms  of  events  and  relation¬ 
ships  among  them.  Our  model  appears  to  be  general  enough  to  encompass  all  known 
distributed  systems  including  the  usual  message  passing  and  shared  variable  models. 
We  define  the  notion  of  isomorphism  among  computations  with  respect  to  a  process, 
i.e.,  two  computations  are  isomorphic  with  respect  to  a  process,  if  the  process  cannot 

^Sherlock  Holmes  in  The  Sign  of  the  Four,  [Chapter  6],  by  Sir  Arthur  Conan  Doyle,  [1890]. 


distinguish  between  the  two  computations.  Our  fundamental  theorem  relates  isomor¬ 
phism  to  communications  among  processes  in  a  computation.  We  define  knowledge 
using  isomorphism  and  show  the  types  of  communications  needed  to  gain  or  lose 
knowledge.  We  postulate  that  some  pairs  of  events  on  a  process  may  not  be  distin¬ 
guishable  to  it.  Thus,  a  process  may  know  that  a  certain  type  of  event  has  occurred, 
but  it  may  not  be  able  to  say  which  particular  event  of  that  type  has  occurred.  This  is 
a  mechanism  for  capturing  the  notion  of  partial  observation. 

Model 

A  system  is  a  set  of  events  E  and  two  binary  relations  — ►  and  ~  on  events, 
where  -+  is  a  partial  order  and  ~  is  irreflexive  and  symmetric.  A  computation  is  any 
sequence  of  events  x  satisfying  the  following  two  conditions.  For  any  e,e'  in  E: 

1.  precedence:  if  e  — ^  e'  and  c'  is  in  x  then  e  occurs  prior  to  c'  in  x. 

2.  exclusivity:  if  e  ^  e*  than  at  most  one  of  e,e '  is  in  x. 

An  event  represents  a  discrete  action;  t  t*  means  that  event  e'  can  occur  only 
after  event  t  has  occurred;  t  ^  t*  means  that  both  c,e '  cannot  occur  in  the  same  com¬ 
putation.  Note  that,  if  c  -♦  e '  and  e  ~  c '  then  t '  can  occur  in  no  computation. 

Our  definition  of  system  is  given  independent  of  the  processes  at  which  an  event 
may  take  place.  A  number  of  important  properties  of  computations,  such  as  prefix 
closure  etc.,  may  be  proven  from  our  definition.  However,  an  adequate  theory  of 
knowledge  requires  us  to  postulate  processes  which  are  not  omniscient.  We  do  so  next. 

Each  process  has  a  set  of  invisible  events;  these  are  the  ones  in  which  it  presum¬ 
ably  does  not  participate  and  whose  occurrences  it  cannot  observe;  remaining  events  are 
visible  to  it.  Furthermore,  a  process  may  be  unable  to  distinguish  between  some  of  its 
visible  events;  this  captures  the  notion  that  what  a  process  can  observe  is  an  abstraction 
of  the  events  in  the  underlying  computation.  Formally,  a  process  is  a  pair  (A,/7)  where 
AGE  and  n  is  a  partition  of  A.  Only  the  events  in  A  are  visible  to  the  process  and 
the  partition  77  groups  events  in  A  into  equivalence  classes  such  that  all  events  in  an 
equivalence  class  are  indistinguishable  to  the  process.  A  process  can  only  observe  the 
equivalence  class  to  which  a  visible  event  belongs,  but  not  the  event  itself. 

We  note  that  an  event  may  be  visible  to  several  processes;  this  denotes  that  the 
event  is  to  take  place  simultaneously  at  all  these  processes.  Furthermore,  two  events 
may  be  indistinguishable  to  a  process  p  and  distinguishable  to  another  process  q.  We 
can  model  usual  message  passing  systems  by  considering  both  active  processes  and  chan¬ 
nels  as  processes  in  our  system.  Similarly,  shared  variable  systems  may  be  modelled  by 
considering  active  processes  and  shared  variables  as  processes.  It  is  important  to  note 
that  we  can  define  any  pair  (A,77)  to  be  a  process.  Our  choice  is  dictated  by  what  kinds 
of  knowledge  we  wish  to  study.  For  instance,  if  we  want  to  deduce  the  operation  of  a 


3 


message  passing  system  from  the  messages  transmitted  in  the  system,  we  will  consider 
the  channels  (along  which  messages  are  transmitted)  as  processes. 


Notation::  Unless  otherwise  stated,  we  use  x,y,2  to  denote  computations  and  p,q,r  for 
processes;  these  symbols  may  be  used  with  superscripts  or  subscripts  also.  The  con¬ 
catenation  of  sequences  x  and  y  will  be  denoted  by  (x;y).  For  sequences  x,y,x  <  y 
denotes  that  x  is  a  prefix  of  y;  in  this  case  (x,y)  denotes  the  sufHx  of  y  obtained  by 
deleting  x  from  y.  The  empty  sequence  will  be  denoted  by  null. 


The  following  example  demonstrates  how  a  process  may  be  unable  to  distinguish 
some  of  its  visible  events. 

Example 

A  mutual  exclxision  algorithm  between  two  processes  p,q  is  implemented  by  means 
of  a  token:  only  the  process  holding  the  token  may  enter  a  critical  section.  The  deci¬ 
sion  by  a  process  to  enter  its  critical  section  is  nondeterministic.  If  the  token  holder 
wishes  to  enter  its  critical  section  then  it  does  so  and  sends  the  token  to  the  other 
process  upon  completion  of  the  critical  section  execution;  if  it  decides  not  to  enter  the 
critical  section,  then  it  sends  the  token  to  the  other  process  immediately.  A  portion  of 
the  system  is  shown  in  figure  1. 

The  set  of  events  E  =  {a,b,e,d,e}.  The  relation  is  {{a,c),  (c,d),  (a,d),  (6,e)}  and 
the  relation  Is  {(o,6),  (6,o)}.  The  important  point  to  note  is  that  the  process  receiv¬ 
ing  the  token,  i.e.,  with  visible  events  d  and  e,  cannot  deduce  whether  the  other  process 
did  enter  its  critical  section  prior  to  sending  it  the  token,  i.e.,  events  (/,e  are  indistin¬ 
guishable  to  this  process.  Hence  this  process  is  defined  by  (A, 77)  where  A  =  {d,e}  and 
77  =  {{d,c}}.  The  process  sending  the  token  is  {{a,b,c},  {{a},  {6},  {c}}).  The  process 
receiving  the  token  views  the  receive  as  a  single  event,  yet  we  model  it  as  two  distinct 
events  d,c  and  represent  the  fact  that  the  process  cannot  distinguish  between  them  by 
having  them  in  the  same  equivalence  class. 

Results 

We  simplify  the  discussion  of  distinguishability  by  assuming  that  each  process  has 
an  associated  set  of  colors,  one  distinct  color  for  each  equivalence  class  in  its  partition 
and  distinct  processes  have  no  common  color.  Every  event  has  all  the  colors  of  the 
various  equivalence  classes  that  it  belongs  to,  corresponding  to  the  processes  to  which  it 
is  visible.  In  any  computation  x,  a  process  p  cannot  observe  the  invisible  events  and  for 
each  visible  event  it  can  only  observe  the  color  of  the  event.  This  is  captured  in  the  fol¬ 
lowing  definition. 

Deflnition::  For  a  process  p  and  a  computation  x,  p’s  observations  of  xja.the  sequence 
of  colors  of  the  visible  events  of  p  in  x. 


Figure  1: 

All  of  our  definitions  and  results  are  easily  generalized  when  individual  processes 
are  replaced  by  sets  of  processes.  This  is  because,  processes  {p,^}  together  form  a 
process  whose  visible  events  are  the  ones  visible  to  either  p  or  q  and  two  visible  events 
of  this  process  are  indistinguishable  if  and  only  if  they  are  visible  and  indistinguishable 
to  both  p,q. 

Definition::  A  sequence  x  has  a  process  chain  <p,q,...,r>  if  and  only  if  there  exists  a 
subsequence  of  events,  e,e not  necessarily  distinct,  in  x  such  that  (l) 
e  —*■  t'  c "  and  (2)  c  is  on  p,  c '  is  g,...,c "  is  on  r. 

A  process  chain  as  above  indicates  that  in  the  given  computation  p  informs  q  and 
later  q  informs  ...,r  is  informed. 

Definition::  For  any  process  p,  [p]  is  an  equivalence  relation  between  computations 
defined  as  follows: 

X  [p]  y  means  p’s  observations  of  x  =  p’s  observations  of  y.  — 


Intuitively,  x  [p]  y,  to  be  read  as  x  is  isomorphic  to  y  with  respect  to  p,  means  that 
p  cannot  distinguish  between  computations  x,y.  Isomorphism  is  the  basis  for  our  work; 
p’s  knowledge  of  the  system  has  to  be  identical  for  both  x,y. 

Deflnition::  x[pq ...  r]  y  means  there  exists  z  such  that, 
x\p\z  and  z  [9 ...  r]  y. 

Intuitively,  x  [p  ?]  y  denotes  that  there  is  a  computation  z  which  p  cannot  distin¬ 
guish  from  X  and  q  cannot  distinguish  from  y.  The  relation  [pq]  is  the  relational 
product  of  [p]  and  [9].  This  is  generalized  to  arbitrary  sequence  of  processes  in 
x[pg... r|y.  A  number  of  algebraic  properties  of  isomorphism  relations  appear  in  [l]. 
Next,  we  present  our  fundamental  theorem  which  relates  process  chains  and  isomor¬ 
phism  relations. 

Theorem  1:  (Fundamental  Theorem)  Let  x  <  y.  For  any  sequence  of  processes 
p,q,...,r,  there  is  a  process  chain  <p  q ...  r>  in  (x,y)  or  x  [p  q ...  r]  y. 

Process  chains  capture  our  intuitive  notion  of  information  transfer  among 
processes.  The  theorem  given  above  allows  us  to  consider  information  transfer  (or  its 
absence)  in  algebraic  terms  using  only  isomorphism  relations.  In  fact,  our  theorems 
about  knowledge  gain  and  loss  are  corollaries  of  this  theorem.  This  theorem  can  be 
strengthened  when  every  visible  event  of  a  process  has  a  unique  color,  i.e.,  when  a 
process  can  distinguish  among  all  its  visible  event. 

Theorem  2:  Let  p,q,...,r  be  processes  which  have  unique  colors  for  all  their  visible 
events,  i.e.,  every  equivalence  class  for  each  of  these  processes  has  exactly  one  event  in 
it.  Then,  for  any  x,y  where  x  <  y,  x[p  q ..  r]  y  if  and  only  if  there  is  no  process  chain 
<pq..r>  in  (x,y). 

Now,  we  define  knowledge  predicates.  Let  b  be  any  predicate  whose  value  at  a 
computation  x  is,  b  at  x.  We  define  a  predicate  p  knows  b. 

Definition::  (p  knows  b)  at  x  =  for  all  y:  x  [p]  y  :  b  at  y. 

Intuitively,  p  knows  b  at  x  \t  b  is  true  for  all  computations  which  p  cannot  distin¬ 
guish  from  X. 

Note  that  b  may  itself  be  a  knowledge  predicate.  The  knowledge  axioms  appear¬ 
ing  in  [2]  may  be  derived  from  this  definition.  It  may  be  easily  seen -that  (p  knows 
(q  knows  b))  at  x  =  for  all  y:  x[p  q]y:b  at  y. 


6 


Notation::  We  write, 

p  knows  ...  q  knows  h,  to  stand  for,  (p  knows  ...  {q  knows  b)) 


Our  next  theorem  shows  that  knowledge  can  be  gained  or  lost  only  in  a  sequential 
manner. 

Theorem  3:  (p  knows  ...  q  knows  b  at  x  and  x  [p ...  q]  y)  implies  q  knows  b  at  y. 

Observe  that  x,y  are  arbitrary  computations  and  p,...,g  are  arbitrary  processes  in 
the  above  theorem.  If  z  <  y,  p  knows  ...  q  knows  6  at  x  and  '^q  knows  6  at  y,  then 
knowledge  is  lost  and  the  theorem  shows  that  '-^x  [p  ...q]  y.  Using  the  fundamental 
theorem,  we  then  deduce  that  there  is  a  process  chain  <p ...  q>  in  this  case.  Hence 
knowledge  can  be  lost  only  by  p  informing  the  next  process  in  the  chain  (of  its  intention 
to  lose  knowledge  of  b)  which  informs  the  next  process,  etc.,  until  q  is  informed  and  q 
loses  its  knowledge  of  6.  If  y  <  x,  '^q  knows  6  at  y  and  p  knows  ...  q  knows  b  at  x, 
then  knowledge  is  gained  and  the  theorem  then  tells  tis  that  ~x  [p ...  q]  y.  Using  al¬ 
gebraic  properties  of  isomorphism  relation  this  leads  to  ^y  [q ...  p]  y  and  then  using  the 
fundamental  theorem,  there  is  a  process  chain  <q...  p>  in  (y,x).  Therefore,  knowledge 
is  gained  in  a  sequential  manner  in  the  reverse  direction,  q  gaining  knowledge  of  6  and 
then  informing  the  previous  process  in  the  chain  of  its  knowledge  of  6,...,p  gaining 
knowledge  of  6  by  being  informed  by  the  process  ahead  of  it  in  the  process  chain. 

This  theorem  gives  a  lower  bound  not  only  on  the  numbers  of  message  transmis¬ 
sions  but  also  on  the  lengths  of  the  process  chains.  All  the  results  in  [l]  may  be 
similarly  proven  for  the  general  model  proposed  in  this  paper.  We  sketch  two  new 
results. 

K'Way  Common  Knowledge 

The  notion  of  common  knowledge,  as  used  here,  is  from  Halpern  and  Moses  [2]. 
They  showed  the  impossibility  of  achieving  common  knowledge  in  a  system  which  ad¬ 
mits  of  no  simultaneous  events.  We  prove  a  stronger  result:  we  show  that  if  every 
event  is  visible  to  A:  or  fewer  processes.  A?  >  0,  then  common  knowledge  among  A:  -I-  1 
processes  cannot  be  gained  or  lost. 

The  predicate,  P  has  common  knowledge  of  b,  where  P  is  a  set  of  processes  and  6 
is  a  predicate,  has  a  value  equal  to  the  following  expression  at  any  computation  x: 

(6  at  x)  and  (for  all  p'm  P.  p  knows  b  at  x)  and 

(for  all  p,q  in  P.  p  knows  q  knows  b  at  x)  and  ... 


7 


I 


f 

I 

I 


It  follows  that,  for  any  p  in  P, 

P  has  common  knowledge  of  b  =  p  knows  P  has  common  knowledge  of  b. 

Let  every  event  e  in  a  system  be  visible  to  at  most  k  processes,  i.e.,  no  event  oc¬ 
curs  at  more  than  k  processes  simultaneously.  Then,  we  will  show  that  for  any  P  whose 
cardinality  exceeds  k  and  any  predicate  6,  P  has  common  knowledge  of  b  is  a  constant 
predicate,  i.e.,  it  holds  at  all  computations  or  its  negation  holds  at  all  computations.  In 
other  words,  no  nontrivial  common  knowledge  can  be  gained  or  lost.  In  particular,  two- 
way  communication  is  inadequate  for  achieving  three-way  synchronization  and  gaining 
knowledge  by  each  party  about  each  other’s  knowledge  about  the  synchronization. 

Theorem  4:  Let  every  event  in  a  system  be  visible  to  at  most  k  processes  and  let  P  be 
a  set  of  more  than  k  processes.  For  every  predicate  6,  P  has  common  knowledge  of  6,  is 
a  constant  predicate. 

Proof  (sketch):  We  show  that, 

P  has  common  knowledge  of  b  at  x  = 

P  has  common  knowledge  of  b  at  null. 

Proof  is  by  induction  on  length  of  x.  Base  step  is  trivial.  For  the  inductive  step,  we 
need  to  show  that  for  any  computation  (x;e), 

P  has  common  knowledge  of  b  at  x  ^  P  has  common  knowledge  of  b 
at  (x;e). 


I 

i 


Is 


From  the  premise  of  the  theorem,  there  is  some  process  p  in  P  to  which  event  e  is  in¬ 
visible.  Hence, 

x[p]  (x;c). 


Therefore,  p  knows  6 '  at  x  =  p  knows  b '  at  (x;e),  for  any  6 '.  Letting  b'  he,  P  has  com¬ 
mon  knowledge  of  b,  and  using  the  fact  that, 

P  has  common  knowledge  of  b  =  p  knows  P  has  common  knowledge  of  b, 
the  desired  result  follows. 


I 


The  next  result  was  suggested  to  us  by  Amir  Pnueli.  We  show  that  all  processes 
in  an  asynchronous  message  passing  system  can  never  agree  that  all  channels  are  empty 
unless  they  are  empty  at  all  computations,  i.e.,  they  are  initially  empty  and  no  process 
sends  a  message  in  any  computation.  A  formal  model  of  asynchronous  message  passing 
systems  appears  in  [1]  from  which  the  following  can  be  easily  derived. 

Let  6  be  the  predicate  that  all  channeb  are  empty.  Then,  knows  b  at  x  and  q 
knows  b  at  (x;e)  ^b  at  x.  Intuitively,  if  q  gains  knowledge  of  channel  nonemptiness, 
it  does  so  only  by  receiving  a  message  (event  e)  and  hence  some  channel  was  nonempty 
at  X.  Now  we  can  prove: 

Theorem  5:  Let  D  denote  the  set  of  processes  in  an  asynchronous  message  passing  sys¬ 
tem  in  which  some  process  sends  a  message  in  some  computation.  Let  b  be  the  predi¬ 
cate  that  all  channels  are  empty.  Then,  for  all  pm  D:  p  knows  6,  never  holds. 

Proof  (sketch):  If  not,  then  there  is  a  computation  (x;e)  and  process  q  such  that  ^q 
knows  b  at  X  and  for  all  p  in  D:  p  knows  b  at  (x;e).  Event  e  is  a  message  receive  on  q. 
Therefore,  there  is  a  process  r,  r  q,  such  that 

x[r]  (x;e) 

Hence,  r  knows  b  at  x,  because  r  knows  b  at  (x;e).  From,  '^q  knows  b  at  x  and  q  knows 
b  at  (x;c),  we  have  at  x,  which  contradicts,  r  knows  b  at  x. 

In  some  sense,  the  simplest  nontrivial  knowledge  that  a  process  can  acquire  is 
whether  an  invisible  event  e  has  occurred.  A  process  has  this  knowledge  if  and  only  if  it 
knows  that  its  observation  includes  a  visible  event  c '  where  e  -*  It  follows  that  ter¬ 
mination  of  one  process  p  cannot  be  detected  by  another  process  q,  because  the  event 
causing  termination  in  p  has  no  successor  (e  — »  e '  means  e '  is  a  successor  of  e)  in  q. 

When  each  event  has  a  unique  color,  the  question  of  whether  an  observation  in¬ 
cludes  c',  as  above,  is  readily  settled:  we  simply  decide  for  each  event  in  the  obser¬ 
vation  whether  it  is  a  successor  of  c.  However,  introduction  of  colors  makes  this 
problem  more  difficult;  we  show  that  the  problem  is  equivalent  to  answering  whether  an 
observation  can  occur  in  a  system. 

Theorem  6:  Let  x  be  a  computation  in  system  5  and  e  be  an  invisible  event  of  p. 

p  knows  e  has  occurred  at  x  =  there  exists  y  in  5',  x  [p]  y,  where  S' 
is  a  system  derived  from  5  by  deleting  all  e ',  e  -+  e 


I 

s 

i 


Acknowledgement 

We  are  immensely  indebted  to  Professor  Amir  Pnueli  for  stimulating  discussions 
about  the  "right”  model  for  distributed  computing.  Professor  CA.R.  Hoare’s  en¬ 
couragement  and  advice  about  a  more  algebraic  approach,  is  deeply  appreciated. 

References 

1.  Chandy,  K.  Mani  and  Misra,  Jayadev,  "How  Processes  Learn,"  Proceedings 
of  the  Fourth  Annual  ACM  Symposium  on  Principles  of  Distributed 
Computing,  Minaki,  Canada,  August  5-7,  1985  and  Distributed  Computing, 

Vol.  1,  No.  1,  1985,  (Springer-Verlag  Publishing  Company). 

2.  Halpern,  Joseph  Y.  and  Moses,  Yoram,  "Knowledge  and  Common 
Knowledge  in  a  Distributed  Environment,"  Proceedings  of  the  Third  Annual 
ACM  Symposium  on  Principles  of  Distributed  Computing,  Vancouver, 
Canada,  Augiist  27-29,  1984. 


UNDERSTANDING  A  BYZANTINE 
ALGORITHM 


J.  Misra 

Department  of  Computer  Sciences 
University  of  Texas  at  Austin 
Austin,  Texas  78712 

TR-85-20  September  1085 


This  work  was  supported  in  part  by  a  grant  from  the  Office  of  Naval  Research  under 
grant  ONR  N00014>85-K-0057. 


'5' 


‘S 

i 

4: 


4 

A 

i. 

I 

I 

» 

I 

I 


'4 

*il' 

I 


.••I 

I 

I 


$ 

I 


i 

Ji3 


Understanding  a  Byzantine  Algorithm 

K.  M.  Chandy 
J.  Misra 

Univer^ty  of  Texas 


Introduction 


The  problem  of  Byzantine  Agreement  defined  in  ( 1  ]  is  as  follows.  There  are  N 
processes  any  pur  of  which  may  communicate  by  messages.  Any  message  sent  is 
received  instantly  and  correctly  by  the  recipient.  It  is  given  that  exactly  t  of  the 
processes  are  faulty  and  the  rest,  N~t,  are  reliable.  Each  process  is  initially  off  or  on. 
The  problem  is  to  devise  a  scheme  whereby  all  reliable  processes  agree  eventually  on  a 
common  value,  0  or  1.  Furthermore,  the  common  value  is  0(1)  if  all  reliable  processes 
are  initially  off  (on).  Difficulty  arises  due  to  the  nature  of  faulty  processes:  they  may 
provide  conflicting  information  in  a  concerted  manner  to  thwart  agreement  by  reliable 
processes. 

We  discuss  an  ingenious  algorithm  for  this  problem  appearing  in  literature  [  2  ].  This 
note  is  intended  as  a  di^erent,  and  hopefully  simpler,  exposition  of  this  algorithm  and 
its  proof.  We  believe  that  simplification  is  achieved  by  removing  explicit  message 
communication  from  the  algorithm  description.  It  should  be  easy  to  see  how  our 
scheme  may  be  implemented  using  synchronous  message  communications.  Our  proof 
closely  follows  [  2  ]  though  the  restructuring  results  in  some  simplification. 

It  is  known  that  solutions  for  this  problem  exist  only  if  iV  >  3t  + 1.  We  assume  that 
and  t  >  0.  Let  low^t  +  1  and  htphs2t  +  l;  therefore  high  is  the 
number  of  reliable  processes.  Observe  that  every  subset  of  low  processes  has  at  least 
one  reliable  process  and  every  subset  of  high  processes  has  at  least  low  reliable 
processes. 

Algorithm 

We  represent  states  of  processes  and  their  communication  histories  by  a  colored  directed 
graph.  Every  vertex  corresponds  to  a  distinct  process  and  a  vertex  state  is  off/on 
denoting  the  current  state  of  the  process.  An  edge  (t  j)  is  directed  from  process  i  to  j, 
i  ^  y,  and  has  a  color,  black  or  white. 

Initially,  there  are  no  edges  in  the  graph  and  a  vertex  state  is  the  correspoading  process 
state.  The  algorithm  proceeds  in  rounds  where  during  the  first  part  of  a  round 
processes  note  the  states  of  all  other  processes  and  edges  that  are  present  in  the  graph. 


m 


Upon  completion  of  these  observations,  processes  recompute  their  states  and  may  add 
new  outgoing  edges.  Note  that  states  and  outgoing  edges  of  faiilty  processes  may  not  be 
observed  consistently  by  different  reliable  processes;  this  is  the  Byzantine  aspect  of  the 
problem.  We  assume  that  some  unspecified  mechanism  coordinates  the  observations 
and  computations  such  that  all  observations  precede  all  computations  in  a  round.  In 
particular,  processes  cannot  observe  changes  in  the  graph  or  process  states  during  the 
computation  phase  of  a  round. 

Reliable  processes  use  following  rules  to  add  edges,  color  edges  and  change  their  own 
states.  These  rules  may  be  applied  over  and  over  by  a  process  until  no  further  rule  is 
applicable.  In  the  following,  rules  are  given  for  a  generic  reliable  process  p  and 
arbitrary  process  j;  (pj)  is  the  edge  from  p  to  j,  if  it  exists.  Let  in(j)  denote  the  number 
of  incoming  edges  to  j,  as  observed  by  p,  during  a  round;  white-out(p)  is  the  number  of 
white  outgoing  edges  of  p. 

Eklge  Addition:: 

(p,j)  does  not  exist  and  (p  observed  j  \s  on  or  tn(j)  >  low)  —*■ 
add  black  edge  (pj) 

E^dge  Coloring:: 

(p,j)  is  black  and  in(j)  >  high  color  (pj)  white 

State  Change:: 

{Let  r  be  the  round  number} 

p  is  o//  and  white~out(p)  >  t  +  r/2  —*■  p  becomes  on 
Observation 

1.  No  reliable  process  becomes  off  once  it  is  on. 

2.  No  edge  is  ever  deleted  by  a  reliable  process.  No  white  outgoing  edge  of  a 
reliable  process  ever  becomes  blc^k. 

3.  A  reliable  process  creates  a  black  edge  (pj)  only  if  j  b  observed  on  by  some 
reliable  process,  possibly  p.  edge  (p,j)  b  white  only  if  there  are  at  least  /oto 
reliable  processes  with  edges  to  f  and  hence  these  edges  are  observed  in  all 
subsequent  rounds  by  all  reliable  processes. 

4.  There  b  nothing  magical  about  the  function  t  +  r/2. 

Let  R  be  such  that  agreement  on  a  common  value  b  reached  by  the  end-of  round  R. 
Any  function  /  satisfying  the  following,  b  acceptable. 


/(2)  low,  /(r  +  2)  <  1  +  /(r)  for  all  r  in  0  <  r  <  iZ  —  2,  f{R  —  3)  >  high, 
A.R-2)>  high. 

We  allow  function  /  to  be  real  valued  and  hence,  without  loes  in  generality,  we  can 
relax  one  of  the  conditions  to:  { J{R  —  3)  ]  >  high.  One  of  our  goab  is  to  minimize  R. 
Note  that  [/]  increases  from  low  to  at  least  high  from  round  2  to  A —  3  and  /  can 
increase  by  at  most  1  in  two  rounds.  The  unique  minimum  for  A  is  2t  +  4  and  a  choice 
for  /  is,  t  +  r/2. 

We  have  not  yet  specified  the  conditions  under  which  processes  commit  to  different 
values.  These  conditions  become  apparent  from  the  results  proven  below.  In  the 
following  p,q  denote  reliable  processes  and  j  an  arbitrary  process.  We  use  "at  round  r" 
to  mean  upon  completions  of  computations  of  round  r  and  "in  round  r"  to  mean  prior 
to  computations  of  that  round.  "At  round  0"  will  refer  to  initial  conditions. 

Lemma  1: 

Edge  {p,q)  is  white  at  round  (r  +  2)  iff  q  is  on  at  round  r. 


Proof: 

If  q  is  on  at  round  r,  it  is  observed  on  in  round  (A+  1)  by  all  reliable  processes  and 
hence  in(q)  >  high  at  (r+1).  Then  every  reliable  process,  including  p,  has  a  white 
edge  to  9  at  round  (r  +  2).  Conversely,  if  q  is  off  at  round  r,  it  is  off  at  all  precious 
rounds  and  it  is  observed  off  in  round  (r+1).  Hence  »n(q)  <  low  at  (r+1)  and 
therefore  no  reliable  process  has  a  white  edge  to  q  at  (r  +  2). 

Let  np(r)  denote  the  number  of  reliable  processes  which  are  on  at  round  r.  We  show  in 
the  following  lemma  that  if  any  reliable  process  changes  state  then  every  reliable  process 
is  on  two  rounds  later;  furthermore  a  state  change  is  possible  only  if  at  least  r/2  reliable 
processes  are  on  two  rounds  earlier.  We  note  that  npfr)  is  monotone  nondecreasing  in  r. 


Lemma  2: 

For  every  r,  2  <  r  <  A  —  2, 

[np(0)  *  np(r)j  or  (np(r  +  2)  =  high  and  np(r  —  2)  >  (r  —  l)/2] 

Proof: 

Conrider  the  smallest  r,  if  any,  for  which  np(0)  np(r).  If  no  such  r  exists,  the  lemma 
holds.  Some  reliable  process  p  applies  the  state  change  rule  at  round  r.  For  p. 


white— out{p)  >  t  +  r/2  in  round  r,  hence  p  has  white  edges  to  at  least  r/2  reliable 


processes  and,  from  lemma  1,  all  these  are  on  at  round  (r  —  2),  i.e.  np(r  — 2)  >  r/2. 
Also  np(r)  >  np(r  —  2)  and  hence  np(r)  >  r/2. 

Next  we  show  that  every  reliable  process  is  on  at  round  (r  +  2).  We  only  need  to  prove 
this  for  reliable  processes  which  are  off  at  round  r,  let  q  be  one  such  process.  We  show 
that  if  (pj)  is  white  at  round  r  then  (9J)  is  white  at  round  (r  +  2):  for  (pj)  to  be  white, 
in(J)  ^  high  in  some  round  before  or  in  round  r,  as  observed  by  p;  hence  at  least  low 
reliable  processes  have  edges  to  j  in  round  r;  then  every  reliable  process  has  at  least  a 
black  edge  to  j  at  (r+  1)  and  white  edge  at  (r+2).  Also,  edge  (p,g)  is  white  at  round 
(r  +  2),  from  lemma  1.  Also,  from  lemma  1,  p  has  no  white  edge  to  9  at  round  r. 
Therefore,  white-out(q)  at  round  (r  +  2)  >  1  +  white~out(p)  at  round  r  >  t  +  (r  +  2)/2; 
hence  9  is  on  at  (r  +  2). 

Consider  any  round  r'.  For  r*  <  r,  np(r')  =  np(0)  and  hence  the  lemma  holds. 

For  r*  >  r,  np{f*  +  2)  =  high. 

For  r'™  r+ 1,  np(r'  — 2)  >  np(r  — 2)  >  r/2  =  (r' —  l)/2. 

For  r'*  r+ 2,  or  1^  =  r+ 3,  np^r'  — 2)>  np{r)  >  np(r  — 2)+>  (r  +  2)/2  >  (r'— l)/2. 
For  all  larger  values  1^,  np(r'  —  2)  =  high  >  (r  —  l)/2. 

Theorem: 

1.  np(0)  =  0  implies  np{R  —  2)  =  0 

2.  np(0)  >  low  implies  np{R  —  2)  —  high 

3.  np(0)  <  low  implies  [np(0)  =  np{R  —  2)  or  np{R  —  2)  =  high] 

Proof: 

1.  Suppose  np(0)  0.  Observe  that  np(l)  =  0.  Let  r  be  the  smallest  value, 

r  >  2,  for  which  np(0)  ^  np(r).  Then  from  lemma  2,  np(r  — 2)  > 

(r  —  l)/2  >  0,  contradiction. 

2.  Let  np(0)  >  low.  From  lemma  1,  every  reliable  process  p  is  on  at  round  2 
because  white~out(p)  >  low  =  t  +  r/2,  at  r  =  2.  Hence  np(2)  =  high,  from 
which  the  result  follows. 

3.  Suppose  np(0)  np{R » 2).  Then  from  lemma  2,  np{R  —  4)  > 
(R—3)/2  >  (2<  +  l)/2.  Hence  np(R—4)  >  low.  Because  np(0)  <  low, 
np(0)  ^  np{R  —  4).  From  lemma  2,  np{R  —  2)  =  high. 

Commit  Rule::  At  round  R, 

white— out{p)  >  high  -*  commit  to  1 


white— out(p)  <  high  commit  to  0 
Corollary  1: 

All  reliable  processes  commit  to  the  same  value.  If  they  are  initially  off /on  they 
commit  to  0(1). 

Proof: 

From  the  theorem  nf/R  —  2)  <  low  or  np{R—2)=^high.  If  np{R  —  2)  <  low  then, 
from  lemma  1,  for  any  reliable  process  p,  white— out{p)  <  high  at  round  R.  If 
np{R  —  2)  =  high  then,  again  from  lemma  1,  white— out{p)  >  high.  Hence  all  reliable 
processes  commit  to  the  same  value.  Other  parts  follow  trivially  from  the  theorem. 


6 


REFERENCES 

1.  Lamport,  L.,  Shostak,  R.  and  Pease,  M.  "Byzantine  Generals  Problem", 
TOPLAS  1982. 

2.  Lynch,  N.,  Fischer,  J.  and  Fowler,  R.  "A  Simple  and  Efficient  Byzantine 
Generals  Algorithm",  Proceedings  of  the  2nd  Symposium  on  Reliability  in 
Dbtributed  Software  and  Database  Systems,  July  1082. 


I 


i/v 


H'* 

iii 


P 

m 


i 


S' 


£ 


On  the  Nonexistence  of  Robust 
Commit  Protocol 


K.  Mani  Chandy 
Jayadev  Miara 

Department  of  Computer  Sciences 
The  University  of  Texas 
Austin,  Texas  78712 
(512)471-4353 

21  November  1085 


This  research  was  supported  by  a  grant  from  the  Office  of  Naval  Research  under  grant 


Table  of  Contents 


1.  Introduction 

2.  Asynchronous  Message  Passing  Systems 

3.  Commit  Protocol 

4.  Robust  Commit  Protocol 


1 


1.  Introduction 

An  important  result  in  the  theory  of  asynchronous  message  passing  systems  is  the 
impossibility  of  distributed  consensiis  with  one  faulty  process.  This  problem  was  first 
defined  and  its  impossibility  proven  in  [2].  The  proof  in  [2]  relied  on  operational  details 
of  asynchronotis  message  communication:  channels,  sends  and  receives,  etc.  Our  goal  is 
to  prove  this  beautiful  result  in,  what  Dijkstra  terms,  a  purely  nonoperational 
framework.  We  do  so  by  defining  a  set  of  properties  assmchronoiis  message  passing  sys¬ 
tems  and  a  set  of  requirements  for  consensus  with,  or  without  ,  faulty  processes.  Our 
formulation  is  slightly  more  general  than  the  original  formulation:  we  allow  processes 
to  be  nondeterministic  and  we  do  not  require  any  kind  of  fairness  after  failure  of  a 
process. 

We  use  some  algebraic  properties  of  astern  computations  introduced  in  [l];  we 
also  use  most  of  the  key  ideas  from  [2]. 

2.  Asynchronous  Message  Passing  Systems 

Discussions  of  asynchronous  message  passing  systems  are  usually  given  in  terms  of 
processes,  channels,  send  and  receive  primitives  for  message  communications,  etc.  We 
take  a  different  approach;  we  define  these  ^sterns  by  a  small  set  of  their  properties 
which  make  no  mention  of  channels  or  messages. 

An  asynchronoiis  message  passing  system,  to  be  henceforth  called  system,  is  a  set 
of  processes  and  a  set  of  computations.  A  computation  is  a  finite  sequence  of  pairs  of 
the  form  (e,p),  where  e  is  an  event  and  p  is  a  process. 

An  intuitive  meaning  of  a  computation  in  a  system  is  that  it  is  possible  for  every 
event  to  happen  at  the  corresponding  process  in  the  sequence  given  by  the  computation. 
We  assign  no  meanings  to  events  or  processes.  No  causality  among  events,  such  as  be¬ 
tween  sends  and  receives,  is  explicitly  stated.  It  is  not  required  that  the  processes  be 
deterministic. 

Property  Al::  Every  prefix  of  a  computation  is  a  computation. 

The  empty  sequence  is,  therefore,  a  computation;  it  is  denoted  by  null. 

Notations::  Symbols  x,y,z,y*  denote  computations,  e,  e '  events  and  p,  a  process. 
<x;(e,p)>  denotes  the  sequence  obtained  by  concatenating  the  pmr  (e,  p)  to  x.  An 
extension  of  a  computation  x  is  a  computation  of  which  x  is  a  prefix.  For  any  x  and  p 
let  x^  be  the  subsequence  of  x  containing  p  as  the  process  component.  There  b  an  event 
on  p  between  x,  y,  where  y  b  an  extension  of  x,  if  there  b  some  pair  (e,  p)  in  y  after  x. 

Definition::  Computations  x,  y  are  isomorphic  with  respect  to  p,  to  denoted  by 
X  [p]  y,  means  that  x  =  y  . 


The  notion  of  isomorphism  is  from  [l]  where  it  was  used  to  state  and  derive 
several  properties  of  system  computations.  For  this  paper  we  only  note  the  following 
two  elementary  properties. 

•  [p]  is  an  equivalence  relation  over  system  computations. 

•  For  X  a  preflx  of  y,  there  is  an  event  on  p  between  x,  y  iff  -•  x  [p]  y. 

Property  A2::  Let  <x;(c,p)>  be  a  computation  and  y  an  extension  of  x  such  that 
X  [p]  y*  Then,  <y;  (e,  p)>  is  a  computation. 

The  intuitive  meaning  of  property  A2  is  that  if  an  event  e  can  happen  at  a  process 
p  at  some  point  in  the  computation  of  the  system  then  the  same  event  can  happen  at  a 
later  point  in  the  computation,  provided  that  p  has  taken  no  other  step  between  these 
two  points.  This  requirement  does  not  hold  for  all  concurrent  systems;  in  a  shared  vari¬ 
able  system,  a  process  reading  the  value  of  a  shared  variable  is  not  guaranteed  to  read 
the  same  value  at  a  later  point.  However  communications  in  message  passing  systems 
are  limited  to  message  sends  and  receives  which,  by  their  assmchronous  nature,  satisfy 
this  property. 

Property  A3::  For  any  x  and  p,  there  is  a  computation  <x;  (c,  p)>. 

In  a  message  passing  system,  processes  wait  only  to  receive  messages;  this  property 
postulates  that  a  process  can  always  terminate  its  waiting  without  receiving  a  message. 
Furthermore,  a  terminated  process  can  always  take  a  dummy  step. 

We  have  defined  computations  as  finite  sequences  and  almost  all  of  our  proofs  will 
exploit  the  finiteness  assumption.  In  order  to  state  the  problem  formally,  however,  we 
need  the  concept  of  a  fair  sequence,  a  special  kind  of  infinite  sequence.  A  fair  sequence 
is  an  infinite  sequence  of  (event,  process)  pairs  where  each  finite  prefix  is  a  computation 
and  each  process  appears  in  an  infinite  number  of  pmrs.  It  follows,  by  repeated  applica¬ 
tion  of  A3,  that  every  computation  is  a  prefix  of  some  fair  sequence. 

3.  Commit  Protocol 
Intuitive  Discussion 

A  commit  protocol  b  a  system  in  which  every  process  eventually  (explained  below) 
commits  to  a  value,  0  or  1,  and  all  processes  commit  to  the  same  value.  Furthermore, 
»'  processes  do  not  commit  to  one  value,  say  0,  in  all  computations.  Fair  sequences  cap¬ 
ture  our  intuitive  notion  of  infinitely  long  computations  (though,  recall  that  our  formal 
model  only  admits  of  finite  computations)  and  hence,  we  require  that'ievery  fair  se¬ 
quence  have  a  finite  prefix  in  which  a  commitment  is  made.  Since  every  computation  is 


3 


I 


I 


i 


I 


a  preflx  of  some  fair  sequence,  it  follows  that  every  computation  has  an  extension  whkb 
commits. 

Now  we  introduce  the  extremely  useful  idea  of  valency  of  a  computation,  from  [2!|. 
Call  a  computation  0— valent  if  all  extenmons  of  it  which  commit  ,  commit  to  ^ 
nmilariy  1-valent.  A  bivalent  computation  te  neither  0-valent  nor  1-valent  .  Since 
every  computation  has  an  extension  which  commits,  it  follows  that  a  bivalent  computa¬ 
tion  has  a  0-valent  extendon  and  a  1-valent  extension.  Call  a  computation  univalent  if 
it  is  either  0-valent  or  1-valent. 

Now  we  give  a  formal  set  of  requirements  for  a  commit  protocol. 

Formal  Description  of  Commit  Protocol 

Let  y  indudet  x  denote  that  is  a  prefix  of  y^  for  all  p,  i.e.,  every  process  has  ex¬ 
tended  its  own  computation  in  going  from  xioy.  The  relation  includes  *is  a  generalizar 
tion  of  extension. 

A  commit  protocol  is  a  system  in  which  computations  are  0-valent,  1-valent  or 
bivalent.  These  satisfy: 

Cl::  There  is  a  valent  computation  and  a  1-valent  computation. 

C2::  Every  bivalent  computation  has  an  extension  that  is  0-valent  and  an  exten¬ 
don  that  is  1-valent. 

C3::  If  y  includes  x  and  x  is  0-valent  (1-valent)  then  y  is  0-valent  (1-valent). 

C4::  Every  fair  sequence  has  a  finite  prefix  that  is  univalent. 

Observation::  The  null  computation  is  bivalent,  from  Cl  and  C3. 

Definition::  Two  computations  are  incompatible  means  that  one  is  0-valent  and  the 
other  is  1-valent;  they  are  compatible  otherwise. 

Lemma  1::  For  a  computation  <x;  (c,p)>  and  any  extension  z  of  z, 

-I  z  [p]  s  or  the  computations  <z;  (e,  p)>,  z  are  compatible. 


Proof::  Suppose  z[p]  z.  Then,  from  A2,  <s;(e,p)>  is  a  computation.  If  <z;(e,p)> 
and  z  are  incompatible  then  one  is  0-vaient  and  the  other  1-valent  and  hence 
<s;(e,p)>,  which  includes  both  these  computations,  is  both  0-valent  and  1-valent, 
from  C3;  contradiction!  □ 


4 


A  process  p  is  a  decider  for  a  bivalent  computation  x  if  an  event  on  p  extends  x  to 
a  (Vvalent  computation  and  another  event  on  p  extends  x  to  a  1-valent  computation; 
equivalently,  there  exist  incompatible  computations  <x;(e,p)>  and  <x;(e',p)>.  The 
theorem,  given  below,  shows  that  every  commit  protocol  has  such  a  pair  of  incompatible 
computations. 

Theorem  1::  (Existence  of  Decider) 

There  exist  incompatible  computations  <x;(e,p)>  and  <x;(e',p)>. 

Proof::  We  assume  the  contrary:  every  pair  of  computations  <x;(e,p)>,  <x;(e^p)> 
is  compatible.  We  then,  show  that  for  every  bivalent  x  and  p  there  exists  a  bivalent  ex¬ 
tension  y  of  X  such  that  ^  x  (p]  y;  we  then  show  that  this  leads  to  a  contradiction  of  the 
requirement  C4. 

Consider  any  bivalent  x  and  process  p.  There  b  a  computation  <x;  (e,  p)>,  from 
A3.  If  <x;(e,p)>  b  bivalent,  the  result  b  proven.  Otherwise,  without  loss  in 
generality,  assume  that  <x;  (e,  p)>  b  0-valent.  From  bivalence  of  x,  and  C2,  there  ex¬ 
ists  a  1-valent  extension  z  of  x.  Since  <x ;  (e ,  p)>  b  0-valent  and  z  b  1-valent,  they 
are  incompatible  and  hence,  from  lemma  1,  x  [p]  x. 

Now  we  dbplay  a  bivalent  extension  y  x  for  which  -•  x  [p]  y.  We  only  consider 
extensions  of  x  which  are  also  prefixes  of  z.  Since  x  [p]  x  and  x  [p]  x,  there  exist  exten¬ 
sions  y ' ,  y  such  that  x  [p]  y x  [p]  y  and  y  b  a  one  event  extension  of  y Therefore, 
y  =  <  y';(e',p)  >  for  some  e^  We  show  that  y  b  neither  0-valent  nor  1-valent  and 
hence  bivalent.  From  C2,  y  b  not  0-valent  because  x  includes  y  and  x  b  1-valent.  To 
see  that  y  b  not  1-valent,  note:  (1)  since  <x ;  ( e ,  p  )>  b  a  computation,  y '  b  an  exten- 
aon  of  X  and  x(p]y',  from  A2,  <y';(e,p)>  b  a  computation,  (2)  <y',(e,p)>  and 
y«B<y',(e',p)>  are  compatible,  from  the  assumption  at  the  beginning  of  thb 
proof,  and,  (3)  <y'y(e,p)>  b  0-valent,  from  C3,  because  it  includes  <x,(e,p)> 
and  the  latter  b  0-valent  and,  (4)  from  (2)  and  (3),  y  b  not  1-valent. 

Now  we  have  a  procedure  for  obtaining  a  longer  bivalent  computation  from  any 
bivalent  computation  and  any  process  p.  We  may  apply  thb  procedure  infinitely  often, 
starting  from  null  computation  which  b  bivalent,  using  an  arbitrary  process  p  each  time 
and  ensuring  that  every  process  b  chosen  an  infinite  number  of  times.  The  faulting  in¬ 
finite  sequence  b  fur  and  all  its  finite  prefixes  are  bivalent.  Thb  contradicts  require¬ 
ment  C4.  □ 

4.  Robust  Commit  Protocol 

A  commit  protocol  b  rotust  means  that  in  spite  of  failure  of  any  one  process  at 
any  point  in  the  computation  the  remaining  processes  can  commit  to  a  value.  Failure 
of  a  process  can  be  modelled  by  no  event  happening  at  that  process.  It  b  somewhat 
more  difficult  to  define  a  fair  sequence  after  failure  of  a  process;  fortunately  we  don’t 


5 


need  to  define  that  concept.  We  can  work  with  a  very  weak  requirement  for  robustness: 
for  any  p,  it  should  be  posable  to  extend  a  bivalent  computation  to  a  univalent  com¬ 
putation  without  any  event  happening  on  p  in  between.  Formally, 

R::  For  every  bivalent  x  and  p,  there  exists  a  univalent  extension  s  of  a:  such 
that  X  [p]  z. 

We  now  show  that  no  robust  commit  protocol  has  a  decider  for  any  bivalent  computer 
tion. 

Lemma  2:: 

In  any  robust  commit  protocol,  any  two  computations  y  »  <x;  (c,  p)>  and  y '  ^ 
<z;(e',p)>  are  compatible. 

Proof:: 

If  2  is  univalent  then  y,  y^  are  compatible,  using  C3.  For  any  bivalent  x  and  p, 
apply  (R)  to  conclude  that  there  is  a  univalent  extension  z  ot  x  such  that  x  [p]  z.  From 
lemma  1,  y,s  are  compatible  and  also  y',z  are  compatible.  Since  z  is  univalent,  y,y'  are 
compatible. 

Theorem  2::  (Impossibility  of  Robust  Commit) 

There  is  no  robust  commit  protocol. 

Proof:: 

Immediate  from  theorem  1  and  lemma  2.  □ 

Acknowledgement 

We  are  greatly  indebted  to  members  of  the  Austin  Tuesday  Afternoon  Club  for  a 
thorough  reading  of  an  earlier  draft  of  thb  manuscript. 

References 

1.  Chandy,  K.  Mani  and  Misra,  Jayadev,  "How  Processes  Learn,"  Proctedingz 
of  the  Fourth  Annual  ACM  Sympozium  on  Prindplez  of  Distributed 
Computing,  Minaki,  Canada,  August  5-7,  1085  and  to  appear  in  Distributed 
Computing,  in  1085. 

2.  Fischer,  Michael  J.,  Lynch,  Nancy  A.,  and  Paterson,  Michael  S., 
"Impossibility  of  Distributed  Consensus  with  One  Faulty  Process," 
MIT/LCS/TR-282,  Laboratory  for  Computer  Science,  Massachus|rtts  In¬ 
stitute  of  Technology,  Cambridge,  MA. 


p 

p 

p 

t 

I 


m 


HOW  PROCESSES  LEARN 


K.  Hahl  Chandy  A  Jayadev  Nisra 

Department  of  Computer  Sciences  University  of  Texes  Austin.  78712 


I 


1.  Introduction 

Proceaaes  in  distributed  systems  communicste  with 
one  another  exclusively  by  sending  and  receiving 
messages.  A  process  hss  access  to  its  state  but  not  to 
the  states  of  other  processes.  Many  distributed 
algorithms  require  that  a  process  determine  facts 
about  the  overall  system  computation.  In 
anthropomorphic  terms,  proceaaes  ’learn"  about 
states  of  other  process  in  the  evolution  of  ssrstem 
computation.  This  paper  is  concerned  with  how 
processes  learn.  We  give  a  precise  characterixation  d 
the  minimum  information  flow  necessary  for  a  process 
to  determine  specific  facta  about  the  system. 

The  central  concept  in  our  study  is  that  of 
iaomorphitm  between  system  computations  with 
respect  to  a  process:  two  system  computations  are 
isomorphic  with  respect  to  a  process  if  the  process 
behavior  is  identical  in  both.  In  anthropomorphic 
terms,  "system  computations  are  isomorphic  with 
respect  to  a  process"  means  the  process  cannot 
distinguish  between  them. 

Many  correctness  arguments  about  distributed 
systems  have  the  following  operational  flavor  "I  will 
send  a  message  to  you  and  then  you  will  think  that  I 
am  busy  and  so  jrou  will  broadcast  . . .  *.  Such 
operational  arguments  are  difficult  to  understand  and 
error  prone.  The  bads  for  such  operational 
arguments  is  usually  a  "process  chain":  a  sequence  of 
measase  transfers  alone  a  chain  of  processes.  We 


advocate  nonoperational  reasoning.  The  basis  for 
nonoperationaJ  arguments  is  isomorphism;  we  relate 
isomorphism  to  process  chains.  Algebraic  properties 
of  system  computations  under  isomorphism  provide  a 
precise  framework  for  correctness  arguments. 

It  has  been  proposed  1 3,6  ]  that  a  notion  of 
"knowledge"  is  useful  in  studying  distributed 
computations.  In  earlier  works,  knowledge  is 
introduced  via  a  set  of  axioms  [  4  ].  Our  definition  of 
knowledge  is  based  on  isomorphism.  Our  model 
allows  us  to  study  how  knowledge  is  "gained"  or 
"lost".  One  of  our  key  theorems  states  that 
knowledge  gain  and  knowledge  loss  both  require 
sequential  transfer  of  information:  if  process  q  does 
not  know  fact  A  and  later,  p  knows  that  q  knows  A, 
then  q  must  have  communicated  with  p,  perhaps 
indirectly  through  other  processes,  between  these  two 
points  in  the  computation;  conversely,  if  p  knows  that 
q  knows  A  and  later,  q  does  not  know  A  then  p  must 
have  communicated  with  q  between  these  two  points 
in  the  computation.  In  the  first  case,  the  effect  of 
communication  is  to  inform  p  of  q’s  knowledge  of  A. 
Analogously,  in  the  second  case,  the  effect  of 
communication  is  to  inform  q  of  p's  intention  of 
relinquishing  its  knowledge  (that  q  knows  A). 
Generalisations  of  these  results  for  arbitrary  sequences 
of  processes  are  stated  and  proved  ss  corollaries  of  a 
general  theorem  on  isomorphism. 

We  use  the  results  alluded  to  in  the  last  paragraph 


Pcrmittion  to  copy  without  fee  all  or  part  of  this  material  is  granted 
provided  that  the  copies  are  not  made  or  disiribuied  for  direct 
commercial  advantage,  the  ACM  copyright  notice  and  the  title  of  the 
publication  and  its  dale  appear,  and  notice  is  given  that  copying  is  by 
permiuion  of  the  Association  for  Computing  Machinery.  To  copy 
otherwise,  or  to  republish,  requires  a  fee  and/or  speciTic  permiMion. 


•1985  ACM  0^9791'167-9/1985/0800-0204  $00.75 


for  provinf  lower  bounds  on  the  number  of  messages 
required  to  solve  certain  problems.  We  show,  for 
instance,  that  there  is  no  algorithm  to  detect 
termination  of  an  underlying  computation  using  only 
a  bounded  number  of  overhead  messages. 

2.  Model  of  a  Distributed  System 

A  distributed  system  consists  of  a  finite  set  of 
processes.  A  process  is  characterized  by  a  set  of 
process  computations  each  of  which  is  a  finite 
sequence  of  events  on  that  process.  Process 
computations  are  prefix  closed,  i.e.  all  prefixes  of  a 
process  computation  are  also  process  computations  (of 
that  process).  An  event  on  a  process  is  either  a  send, 
a  receive  or  an  irUemal  event.  A  send  event  on  a 
process  corresponds  to  sending  of  a  message  to 
another  process.  A  receive  event  on  a  process 
corresponds  to  reception  of  a  message  by  the  process. 
There  is  no  external  communication  associated  with 
an  interna/  event.  For  a  set  of  processes  P,  a  send 
event  by  P  is  a  send  event  by  some  component  process 
of  P  to  a  process  outside  P,  similarly  a  receive  event 
by  P  denotes  receipt  by  some  process  in  P  of  a 
message  sent  from  outside  P.  Communication  among 
processes  in  P  are  internal  events  of  P.  We  use  "e  is 
on  P",  for  event  e  and  process  set  P,  to  denote  that  e 
is  an  event  on  some  proceas  in  P.  We  rule  out 
processes  which  have  no  event  in  any  computation. 
We  assume  that  all  events  and  all  messages  are 
distinguished;  for  instance,  multiple  occurrences  of  the 
same  message  are  distinguished  by  affixing  sequence 
numbers  to  them. 

Let  z  be  any  sequence  of  events  on  component 
processes  of  a  distributed  system.  The  projection  of  z 
on  a  component  process  p,  denoted  by  z^,  is  the 
subsequence  of  z  consiating  of  all  events  on  p.  A  finite 
sequence  of  events  z  is  a  system  computatton  of  a 
'  distributed  system  means  (1)  for  all  processes  p,  z^  is 
a  process  computation  of  p  and,  (2)  for  every  receive 
event  in  z,  say  receipt  of  message  m  by  proceas  p, 
there  is  a  send  event,  of  sending  m  to  p,  which  occurs 


earlier  than  the  receive  in  z:  this  send  event  will  be 
called  the  send  event  eorreeponding  to  the  receive. 
We  leave  it  to  the  reader  to  show  that  system 
computations  are  prefix  closed. 

In  this  paper  we  consider  a  single  (generic) 
distributed  system.  For  instance,  when  we  say  *z  is  a 
computation*  we  mean  that  z  is  a  computation  of  the 
distributed  system  considered  here.  We  use 
computation  to  mean  system  computation  when  no 
confusion  can  arise. 

Notationi  We  use  x,  y,  z  to  denote 
computations,  p,  g  for  processes  and  F,  Q  for  process 
sets;  these  symbols  may  be  used  with  subscripts  or 
superscripts.  The  concatenation  of  two  sequences  y 
and  z  will  be  denoted  by  (y;z).  For  sequences  y  and  z, 
y  <  z  denotes  that  y  is  a  prefix  of  z;  in  this  case  (y, 
z)  denotes  the  suffix  of  z  obtained  by  removing  y 

from  z.  The  empty  sequence  will  be  denoted  by  null. 
The  symbol  ~  is  used  to  denote  equalities  among  sets 

and  among  predicates.  The  symbol  m  is  used  for 
definitions.  The  set  of  all  processes  in  the  system  will 
be  denoted  by  D  and  for  any  process  set 

P,  P  —  D  -  P. 

3.  Isomorphism 

We  define  the  relation  [p|  on  the  set  of  system 

computations  as  follows. 

Dsfinitioni  For  system  computations  x,y: 
x[p|y  m  (*,-*»,)• 

In  other  words,  x|p|y  means  p's  computation  is  the 
same  in  system  computations  x  and  y.  In  this  case, 
we  say  x,  y  are  ieomorpkie  with  reepeet  to  p.  For  a 
process  set  P,  define  relation  (P),  on  the  system 
computations,  as  follows. 

Dsfinitleni  z  (Pj  y  m  for  all  p  in  P,  x  [p]  y. 

Thus  z  |P]  y  means  that,  given  only  the  computations 
of  processes  in  P  we  cannot  distinguish  z  from  y. 
From  definition,  z  [  {  }  |  y,  for  ail  computations  z,  y 
where  {  }  denotes  the  empty  set.  (TESIrve  that  [  P]  is 
an  equivalence  relation. 


205 


A  jjju  jyui.aij ..  .  ,11 


It  is  convenient  to  represent  nil  such  isomorphism 
relations  by  an  iaomorphitm  diagram:  an  undirected 
labelled  (raph  whose  vertices  are  computations  and 
there  is  an  edge  labelled  [  P\  between  vertices  z,  y  if  P 
is  the  largest  wset  of  processes  for  which  z  [P|  y. 
Observe  that  every  vertex  has  a  self  loop  labelled  [  D  ] 
where  D  is  the  set  of  all  processes  in  the  system. 
NoU  that  X  [D]  y,  X  yd  y,  implies  y  is  a  permutation 
of  z. 

Example  1:  Consider  a  system  with  two 
processes,  p  and  q,  for  which  part  of  the  isomorphism 
diagram,  showing  the  relationships  among  four  system 
computation,  is  given  below. 


From  the  diagram  z  [p|  y,  but  not  z  [f]  y.  This 
means  p  has  the  same  computations  in  both  z  and  y, 
whereas  q'a  eomputations  in  z  and  y  differ. 
Computations  z  and  x  have  the  same  computations 
for  both  p  and  q;  hence  one  is  a  permutation  of  the 
other.  There  is  no  direct  relationship  between  y  and 
ur,  neither  y  [p|  w  nor  y  [4I  w  holds.  However,  there  is 
an  indirect  relationship  between  y  and  w  because 
y\p\x  and  x  [9I  w.  We  explore  such  indirect 
relationships  next. 

O 

Dcflnition:  Let  n  >  0  and  Pf  be  process  sets, 
0  <  «•  <  n. 

for  some  computation  y. 


Hence,  (/*<3l  —  (P)  o  [Q]  where  "o"  is  the 
relational  comporition  operator.  This  operator  is 
associative  (from  properties  of  reiations).  In  ternu  of 
the  isomorphism  diagram,  x[P^  .  .  .  /»J  *  means  there 
is  a  path  from  z  to  z  whose  edges  are  labelled  with 
Qo*  •  •  •  respectively,  where  Q.  D  P^,  for  all ». 

Example  1  (eontd.):  We  have  y  [p  ^  u;  and 
w  (9  p]  y.  Also,  trivially,  y  (y  p|  *,  y  (9  p  9J  *,  etc. 

□ 


We  note  some  properties  of  isomorphism  relations. 
In  the  following,  P,  P^, . . .  Q,  denote  arbitrary 
process  sets  and  z,  y,  x  denote  arbitrary 
computations. 

1.  (P]  is  an  equivalence  relation. 

2.  (Substitution)  ((/»)  —  («])  impliea 

([e^i]  *  (o*Tr))  for  arbitrary 

sequences  of  process  sets  a,  0,  7,  t. 

3.  (Idempotence)  [PP|  —  [P] 

4.  (Reflexivity)  z  [  P,  .  ,  .  j  Z 

5.  (Inversion)  z  |P,  . . .  P  j  y  wi 
ylP,...PJz 

8.  (Concatenation)  For  0  <  m  <  n. 


3|P  »[Pi. 


.P. 


y.  y  [P. 


m+1 


m  m^l 


7.lPu<?)-(|PJnlQ)) 
8.  (Q2P)-(1<?1C[P]) 
8.  (P-Q)-(IP)-[Q]) 


10.  Q  D  P  implies  ([  Q  P]  -  [  P]  -  [  P  Q  ]) 


These  properties  follow  from  properties  of 
relations  and  our  model.  We  only  sketch  a  proof  of 
one  part  of  property  8: 

(lQlC[Pl).mpKes(QDP). 

If  Q  gP  then  there  is  a  process  p  in  P—  Q.  From  our 
model,  p  has  an  event  e  in  some  computation  (z.z). 
Then  z  [  Q )  (z;e)  and  ~z  [  P]  (z;e).  Hence  ( Q )  £|  P]. 


206 


S.l.  Process  Chains 

As  noted  in  the  introduction,  the  basis  for  many 
operational  arguments  are  process  chains:  process  p 
informing  q  which  in  turn,  informs  r  etc.  One  of  our 
goals  is  to  replace  such  concepts  by  algebraic 
properties  of  system  computations.  In  this  section,  we 
show  how  process  chains  are  related  to  isomorphism. 
We  first  define  process  chains;  this  definition  is  along 
the  lines  suggested  by  Lamport  |  5  |. 

Definition:  For  events  e,  s'  in  a  computation 
X,  e  -W  means: 

1.  s'  is  a  receive  and  e  is  the  corresponding 
send,  or 

2.  events  e,  ef  are  in  the  same  process 
computation  and  (e  «  s'  or  e  occurs  earlier 
than  ef),  or 

3.  there  exists  an  event  e*  such  that  e  -Ac* 
and  «•  -4  c'. 

For  brevity  we  write  e  — ►  ^  when  the 
computation  x  is  understood  from  context.  We  will 
write  <0  “*  *1  “*  •••*«-!“**«'“  shorthand  for 
<0  -*  ej  and  . . .  and  j  -»  e^.  Observe  that 
e  —  e  tor  every  event  e  in  x.  A  computation  x  has  a 
procexx  chain  <Pg  ...  P^>  means  there  exist 
events  e^,  Cj,  .  .  .  e^,  not  necessarily  distinct,  in  x  such 
that  event  e.  is  on  P^,  for  all  0  <  t  <  n,  and 

-  V 

Observation  1:  Any  occurrence  of  ’P  ”  in  a 
process  chain  may  be  replaced  by  "F  P”,  or  vice 
versa,  since  for  any  event  e  on  F,  e  ->  e. 

Observation  2:  Let  z  be  a  sequence  consisting  of 
a  subset  of  events  from  a  computation  y.  Suppose 
that  for  every  event  e  in  z,  every  where  e'**e,  is 
also  in  z  and  ^  Then  z  is  a  computation. 


Theorem  1:  (Fundamental  Theorem  of  Process 
Chains) 

Let  z  be  a  computation  and  z  a  prefix  of  z.  Let  F^, 
Pg  ...  F^,  n  >  I,  be  sets  of  processes.  Then 
z  ( F|  Fj  . .  .  F^  I  z  or  there  is  a  process  chain 
<F,  Fj  . . .  F„>  in  (z,z). 

n 

Proof:  Omitted 

O 

S.3.  An  Application  of  laomorphiam:  How  To 
Construct  A  Computation  By  Fusing 
Separate  Ones 

In  this  section,  we  show  an  application  of 
isomorphism:  we  give  a  construction  to  "fuse”  two 
computations  to  obtain  a  new  computation,  provided 
certun  types  of  paths  exist  in  the  isomorphism 
diagram.  We  motivate  the  discussion  by  the  following 

observations.  Suppose  (xiE)  and  (x;E)  are 
computations  where  all  events  in  E  are  on  a  process 

set  F  and  all  events  in  are  on  7^.  Then,  from 
definition,  (z*Jf;£)  and  (z*,£;]?)  are  also  computations, 

because  events  in  E^  are  independent  and  hence  may 
be  fused  in  arbitrary  order.  A  similar  result  appears 
in  Fischer,  Lynch  and  Paterson  [  2  ].  The  following 
lemma  is  a  generalization  of  this  observation. 

Lemma  1:  Let  z,  y,  z  be  computations  where 
z  <  y  and  z  <  z.  Let  F,  Q  be  such  that  Fu  Q  =  D, 
z  I F]  y  and  z  [  Q  ]  z.  Then  there  exists  a 
computation  w  where  z  <  w,  y  [  Q  |  w  and  z  [  F]  u). 

0 

The  relationships  among  z,  y,  z  and  w  are 
represented  by  the  following  commutative 
isomorphism  diagram. 


3.2.  Relationship  Between  laomorphiam  and 
Proceaa  Chain 


X 


Figure  3-2:  Isomorphiam  Diagram  Depicting 
Fusion 

Proof  of  the  Lemme: 

Let  tv  «  x;  (x.y);  (x,x). 

From  the  condition  of  the  lemma,  (x,  y)  has  events 
only  on  "P  and  (x,  x)  has  events  only  on  Q.  '  Since 

PU Pn5“{  }  end  hence  no  process  has 
events  in  both  (x.y)  and  (z,x).  It  follows,  from 
definition  of  computations,  that  tv  is  a  computation. 
Also  y[Q]w,  *  ( P]  tv  and  x  <  tv,  as  required  for 
proof  of  the  lemma. 

□ 

Note  that,  in  the  construction  of  lemma  2,  all 

events  from  E  and  S  were  present  in  the  fused 
computation.  We  prove  a  far  more  general  result 
below.  We  show  that  for  any  two  arbitrary 
computations  y  and  x,  the  projected  computations,  yp 
and  Xp,  may  be  fused  to  form  a  new  computation 
provided  there  is  a  computation  x  which  is  a  prefix  of 

both  y  and  x,  and  no  message  sent  by  P  in  (x,y)  is 
received  by  P  in  (x,y)  and  no  message  sent  by  P  in 

(x,z)  is  received  by  P  in  (x,x).  This  makes  intuitive 
sense:  processes  in  P  can  execute  all  events  in  y  given 

only  that  processes  in  P  execute  ail  events  up  to  x 

and  similarly  for  executions  of  events  on  ?  up  to  x. 
However,  the  statement  and  proof  of  this  result  are 
difficult  without  the  notion  of  isomorphism.  We  note 
that  the  result  may  be  easily  generalized  to  fusions  of 


arbitrary  numbers  of  computations  under  similar 
constraints. 

Theorem  2:  (Fusion  of  Computntions): 
Consider  system  computations  x,  y,  x  where  x  <  y 
and  X  <  X.  Let  P  be  a  set  of  processes  such  that 

there  is  no  process  chain,  (1)  <Pp>  in  (x,  y)  and  (2) 
<PP>  in  (x,  z).  Then  there  is  a  computation  tv 
where,  x  <  tv,  y  [  P  |  tv  and  x  [  P|  tv.  That  is,  tv 

consists  of  all  events  on  P  from  y  and  all  events  on  P 
from  X. 

□ 

Proof  of  the  Theorem:  According  to  theorem 
1,  absence  of  process  chains  as  given  in  this  theorem 
means  that,  x  [ P?  j  y  and  x  [P  P]  x. 

Consider  the  isomorphism  diagram  in  Fig.  3-3. 
Label  the  intermediate  point  between  x,  y  as  u  and 
between  x,  x  as  v  in  this  figure.  Now  we  apply  lemma 

1  to  X,  u,  V  to  obtain  w.  Note  that,  u  [P]  y  and 

u[P|w;  hence  y(P)tu.  Similarly  z|P)w.  This 
proves  the  theorem. 

□ 


X 


Figure  3-3:  Isomorphism  Diagram  Depicting  Proof 
of  Fusion  Theorem 

3.4.  Semantics  Of  Event  Types  In  Terms  Of 
Isomorphism 

We  now  use  isomorphism  to  state  and  derive  some 
important  facts  about  various  types  of  events.  First, 


208 


note  that  a  process  carries  out  an  internal  event  or 
sends  a  message  depending  on  its  own  computation 
alone.  Therefore,  if  a  process  takes  such  a  step  in  a 
computation  x,  it  will  also  do  so  in  y,  if  x,  y  are 
isomorphic  with  respect  to  this  process.  An  analogous 
result  holds  for  internal  and  receive  events.  The 
following  principle,  which  states  these  facts  formally, 
may  be  proven  from  the  definition  of  system 
computation. 

Principle  of  Computation  Extension:: 

Let  e  be  an  event  on  P. 

1.  c  is  an  internal  or  send  event: 

(x  [  P]  y  and  (x;e)  is  a  computation)  implies 
(y;e)  is  a  computation 

2.  e  is  an  internal  or  receive  event: 

(x;e)  ( P\  y  implies  (y  -  e)  is  a  computation, 
where  (y  —  e)  is  the  sequence  obtained  by 
deleting  e  from  y. 

□ 

Note:  In  (1),  (ar,e)  (Pj  (y,e)  and  in  (2), 

x|P)(y-e). 

Corollary:  Let  e  be  a  receive  event  on  P  and  let  the 

corresponding  send  event  be  on  Q. 

(x  I PU  Q )  y  and  (x;e)  is  a  computation)  implies 
(y,-e)  is  a  computation. 

O 

Proof:  e  is  an  internal  event  of  PU  Q- 

□ 

Following  theorem  follows  from  the  principle  of 
computation  extension. 

Theorem  S:  Let  (x,-e)  be  a  computation  where  e 
is  an  event  on  P. 

Caae  1:  e  is  a  receive: 

for  every  z:  (x;e)  [ P7* )  *  implies  x  [  PP]  * 

CaM  3:  e  is  a  send: 

for  every  r  x  ( P  P  |  *  implies  (x;e)  { P  P  |  x 

CaM  3:  e  is  an  inUrnal  event: 

for  every  r.  (x*,e)  [ PP]  *  x  [  PP]  x 

a 


Proof:  We  will  prove  only  Case  2;  other  cases  are 
nmilarly  proven. 

x(PP]  X  implies  there  exists  y,  x  [P]  y  and  y  [P]  r. 
From  principle  of  computation  extension,  (y,-e)  is  a 
computation  and  (x;e)  (P)  (ye). 

Also,  (y:e)  [Ply. 

Hence,  (x;e)  [Pp  P)  x  and  therfore,  (x;e)  [PP]  x. 

□ 

This  theorem  captures  the  intuitive  notion  that 
the  set  of  possible  computations,  isomorphic  with 
respect  to  P,  can  only  shrink  in  size  as  a  result  of  a 
reception  as  computations  which  do  not  include  the 
corresponding  send  are  ruled  out.  Similarly,  the  set 
of  possible  computations,  isomorphic  with  respect  to  P 
cannot  shrink  as  a  result  of  a  send:  after  the  send, 
additional  computations  which  accept  the  message 
sent  are  isomorphic  while  all  prior  isomorphic 
computations  remain  isomorphic.  An  internal  event 
can  neither  expand  nor  shrink  the  set  of  isomorphic 
computations. 

4.  Knowledge 

As  we  have  remarked  earlier,  predicates  of  the 
f*  knows  b  at  X  may  be  defined  using 
isomorphism.  We  explore  properties  of  such 
predicates  in  our  model.  We  show  that  they  satisfy 
the  "knowledge  axioms*  as  given  in  (  3,6  ].  We  prove 
a  general  result  which  shows  that  certain  forms  of 
knowledge  can  only  be  gained  or  lost  in  a  sequential 
fashion  along  a  chain  of  processes.  That  is,  if  b  is 
false  for  a  computation  and  later,  P^  knows  Pj  knows 

.  . .  P^  knows  b  (this  represents  knowledge  gain), 
then  there  *is  a  process  chain  •  •  •  P{> 

between  these  two  points  of  the  computation. 
Conversely,  if  Pj  knows  Pj  knows  •  •  •  P„  knows  b 
and  later,  b  is  false  (this  represents  knowledge  loss), 
then  there  is  a  process  chain_.^P|  Pj  ...  P^> 
between  these  two  points  of  the  computation. 


209 


Crucial  to  our  work  is  the  notion  of  local 
predicates:  a  predicate  local  to  p  can  change  in  value 
only  as  a  result  of  events  on  p.  We  show  that  local 
predicates  play  a  key  role  in  understanding  knowledge 
predicates. 

4.1.  Knowledga  Predicates 

Let  6  denote  a  predicate  on  system  computations 
and  "b  at  x"  its  value  for  computation  x.  Our 
predicates  are  total,  i.e.  for  each  x,  b  at  x  is  either 
true  or  false.  We  furthermore  assume  that 
X  [D  \  y  implies  {b  at  x^b  at  y)  for  every  predicate 
b.  Thus  predicate  values  depend  only  upon 

computations  of  component  processes  and  not  on  the 
way  independent  events  are  ordered  in  a  linear 
representation  of  the  computation.  A  predicate  c  is  a 
constant  means  e  at  x  ^  e  at  y,  tor  ail  computations 
X,  y.  We  now  define  (P  knows  b)  at  x. 

Definition:  (P  knows  b)  at  x  for  all  y: 
X  [P]  y  :  b  at  y 

Note  that  b  may  itself  be  a  predicate  of  the  form 
Q  knows  V  in  the  above  definition.  We  next  note 
some  facts  about  knowledge  predicates.  In  the 
following,  X,  p  are  arbitrary  computations,  6,  V  are 
arbitrary  predicates  and  P,  Q  are  arbitrary  sets  of 
processes.  All  facts  are  universally  quantified  over  all 
computations.  We  use  the  convention  that  P  knows 
Q  knows  6  at  X  is  to  be  interpreted  as  (P  knows  {Q 
knows  6)]  at  x. 

1.  P  knows  b  at  X  ^  for  all  y:  x[P]y  :  P 
knows  b  at  y 

2.  X  [  P|  y  implies  [P  knows  b  at  x  P 
knows  b  at  y] 

3.  (P  knows  6)  implies  (Pu  Q  knows  b) 

4.  (P  knows  6)  implies  (6) 

5.  (P  knows  b)  or  — P  knows  b) 

S.  (P  knows  b)  and  (P  knows  V)  ^  P  knows 
(t  and  y) 


7.  {(P  knows  b)  or  (P  knows  V))  implies  (P 
knows  (b  or  V)) 

8.  (P  knows  ~6)  implies  (~P  knows  b) 

2.  ((P  knows  b)  and  (b  implies  V))  implies 
(P  knows  V) 

10.  P  knows  P  knows  b  ^  P  knows  b 

11.  P  knows  ~P  knows  b  ™  ~P  knows  b 

12.  P  knows  e,  tor  any  constant  c. 

These  facts  are  easily  derivable  from  the  definition 
of  knows.  We  give  a  proof  of  (11),  whose  validity  in 
other  domains  have  been  questioned  on  philosophical 
grounds  [  3  ]. 

Lemma  2:  P  knows  '^P  knows  b  =  ~P  knows  b 

□ 

Proof:  P  knows  ~P  knows  b  at  x 
~  for  all  y:  X  [  P]  y  :  ~P  knows  b  at  y, 
from  definition 

^  for  all  y:  X  [  P]  y:  there  exists  z: 

y  [  P]  s:  — b  at  z,  from  definition 
=  there  exists  f.  x\P\zr.  ~b  at  z, 
since  [P|  is  an  equivalence  relation 
=  — P  knows  b  at  X 

□ 

There  are  situations  where  multiple  levels  of 
knowledge  such  as,  P  knows  Q  knows  b,  are  useful. 
For  instance,  consider  a  token  bus  which  is  a  linear 
sequence  of  processes  among  which  a  token  is  passed 
back  and  forth;  processes  at  the  left  or  right  boundary 
have  only  a  right  or  left  neighbor  to  whom  they  may 
pass  the  token;  other  processes  may  send  it  to  either 
neighbor.  There  is  only  one  token  in  the  system  and 
initially  it  is  at  the  leftmost  process.  Consider  a 
token  bus  with  five  processes  labelled  p,  q,  r,  s,  t  from 
left  to  right.  When  r  holds  the  token, 

r  knows  ( (q  knows  (p  does  not  hold  the  token))  and 
(s  knows  (t  does  not  hold  the  token))  ) 

Relations  of  the  form  ( P  Q ),  with  multiple  process 
sets  arise  from  predicates  with  multiple  occurrence  of 
knows; 


71.0 


For  instMce: 
p  know*  q  know*  b  at  t 
^  [or  all  y.  x{p]p:  q  know*  b  at  p 
K  for  all  y:  X  [  p  ]  y:  (for  all  z;  y  [  9 1  2:  b  at  z) 

3K  for  all  z:  z  I  p  9  ]  z:  b  at  z 

4.3.  Local  Predicates 

Let  6  be  a  predicate  on  system  computations,  and 
P  a  set  of  processes.  We  define  a  predicate  P  *ure  b 
as  follows. 

Definition:  (P  sure  b)  at  x  s  [  (P  know*  b)  at  x  or 
(P  know*  — 6)  at  x\ 

In  other  words  (P  sure  6)  at  x  means  that  P  knows 
the  value  of  6  at  x. 

We  define  unsure  as  negation  of  sure. 

Definition:  P  unsure  b  ss  — P  sure  b 

Hence,  (P  unsure  b)  at  x  »  li^P  know*  b)  at  x  and 
(~P  know*  — b)  at  x] 

Definition:  b  is  local  to  P  =  for  all  x;  (P  sure  6) 
at  X. 

That  is,  the  value  of  6  is  alway*  known  to  P. 
Local  predicates  capture  our  intuitive  notion  of  a 
predicate  whose  value  is  controlled  by  the  actions  of 
processes  to  which  it  is  local. 

We  note  the  following  facts  about  local  predicates; 
in  the  following,  6  is  an  arbitrary  predicate  and  P,  Q 
are  arbitrary  sets  of  processes. 

1.  (6  IS  local  to  P  and  x  [P|  y)  implie* 

(b  at  X  ^  b  at  y) 

2.  6  ts  local  to  P  implie*  (b  ^  P  know*  b) 

3.  b  i*  local  to  P  sb  ('^6)  ts  local  to  P. 

4.  b  IS  local  to  P  implie* 

( Q  know*  b  ^  Q  know*  P  know*  b  ] 

5.  (P  know*  b)  IS  local  to  P. 

6.  6  IS  local  to  P  and  b  ts  local  to  Q  and  PjQ 
are  disjoint  implie*  6  is  a  constant. 

7.  6  is  a  constant  implie*  b  ts  local  to  P. 

8.  (P  sure  6)  ts  local  to  P. 


Proof  of  (1)  follows  from  definition  of  knowledge 
and  local  predicates.  (2)  and  (3)  follow  trivially.  (4) 
follows  from  Q  know*  b  at  x  =  for  all  y;  x  |  Q  j  y  : 
6  at  y  s  for  all  y  :  x  [  Q  |  y  :  P  know*  b  at  y  (since  6 
is  local  to  P)  =  Q  know*  P  know*  b  at  x.  (5)  follows 
from,  (P  know*  P  know*  6  or  P  know*  ~P  knows  6) 
=  (P  know*  b  or  — P  know*  b)  =  true.  Proof  of  (6) 
is  important  and  hen^e  is  given  below  as  a  lemma. 
(7)  and  (8)  are  trivially  proven  from  definition. 

Lemma  3:  b  ts  local  to  disjoint  sets  P,  Q  implies 
bis  a  constant 

□ 

Proof:  We  show  that  b  at  x  =  b  at  null,  for  all  x. 
Proof  is  by  induction  on  length  of  x. 
b  at  null  X  b  at  null. 

b  at  (x;e)  =  b  at  x,  because  event  e  is  not  on  Por 

e  is  not  on  Q,  and  hence 
(x;e)  [P|  X  or  (x;e)  [Q]  x; 

then  the  result  follows  from  property  (1). 

□ 

For  a  system  of  processes,  6  ts  common  knowledge 
is  defined  as  the  greatest  fix  point  of  the  following 
equation. 

b  IS  common  knowledge  s  6  and  (p  knows  b)  is 
common  knowledge,  for  all  processes  p.  Intuitively,  b 
IS  common  knowledge  means  b  is  true,  every  process 
know*  b,  every  process  know*  that  every  process 
know*  b,  etc. 

Halpern  and  Moses  [  3  ]  have  shown  that  common 
knowledge  cannot  be  gained,  if  it  was  not  present 
initially,  in  a  system  which  does  not  admit  of 
simultaneous  events.  The  following  corollary  to 
lemma  3  shows  that  common  knowledge  can  be 
neither  gained  nor  lost  in  distributed  systems. 

Corollary:  In  a  system  with  more  than  one 
process,  for  any  predicate  b,  6  ts  common  knowledge 
is  a  constant.  _  ^ 

□ 


211 


Proofs  For  wsy  proem  p,  6  t4  common  knowledge 
SB  p  know*  (6  it  common  knowledge).  Hence,  6  ia 
common  knowledge  is  local  to  every  p.  Applying 
lemma  3,  b  ia  common  knowledge  is  a  constant. 

□ 

It  is  possible  to  show  that  even  weaker  forms  of 
knowledge  cannot  be  gained  or  lost  in  our  model  of 
distributed  systems.  Process  sets  P,  Q  have  identical 

knowledge  of  b  means, 

P  knowa  b  =  Q  know*  b 

Corollary:  If  P,  Q  are  disjoint  and  have 

identical  knowledge  of  b  then  P  knowa  b  (and  also 
Q  knowa  6)  is  a  constant. 

□ 

Proof:  P  know*  b  is  local  to  P  and  Q  knowa  b  ia 
local  to  Q.  From  P know*  b^Q  knowa  b,  they  are 
also  local  to  Q  and  P  respectively.  The  result  follows 
directly  from  lemma  3. 

Q 

Corollary:  If  P,Q  are  disjoint  and  P  aure  b  =  Q 
sure  6,  then  P  sure  b  (and  also  Q  sure  6)  is  a 
constant. 

□ 

4.3.  How  Knowledge  Is  Transferred 

We  show  in  this  section  that  chains  of  knowledge 
are  gained  or  lost  in  a  sequential  manner. 

Theorem  4:  For  arbitrary  process  sets 

•  •  •  ’  ^n’  ”  —  predicate  6  and  computations  x, 

V, 

(P^  knowa  ■  ■  ■  P„  knowa  b  at  x  and  z  ( Pj  .  .  .  P„  1  y) 
impliea  (P^  knowa  b  at  y) 

□ 

Proof:  Proof  is  by  induction  on  n.  For  n  «  1, 
Pj  knowa  b  at  x,  x  (Pj  ]  y  impliea  Pj  knowa  b  at  y, 
trivially. 

Assume  the  induction  hypothesis  for  some  n  —  1, 

n  >  1,  and  assume 


P,  knowa  .  .  .  P  knowa  b  at  x  and  x  (P,  .  .  .  P  I  v. 

We  shall  prove  P^  knowa  b  at  y. 

From  X  [Pj  .  .  .  P^]  y,  we  conclude  that  there  is  a  z 
such  that, 

*1^1  •  •  •  siPjy. 

F  rom  *1^1  •  •  •  _  1 1  *  Pj  knowa  .  .  . 

P^  _  I  knowa  (P^  knowa  b)  at  x,  we  conclude,  using 
induction,  P  ,  knowa  P  knowa  b  at  z.  Hence,  P 
knowa  b  at  z. 

Since  z  [P^]  y,  P^  know*  b  at  y. 

□ 

Corollary:  For  arbitrary  process  sets 

Pj  .  .  .  P^,  n  >  1,  predicate  b  and  computations  x, 

y. 

(Pj  knowa  .  •  .  P„  _  j  know*  ~P„  knowa  b  at  x  and 
X  [Pj  .  .  .  P^]  y)  impliea  ~P„  knowa  b  at  y 

□ 

Note:  For  n  =  1  antecedant  is,  — P^  knowa  b  at 

X. 

Corollary:  Theorem  4  bolds  with  knowa  replaced 
by  aure. 

Theorem  4  can  be  applied  to  (1)  x  <  y 
(knowledge  is  lost)  and  (2)  y  <  x  (knowledge  is 
gained).  Using  theorem  1,  we  can  deduce  that  there  is 
a  process  chain  <  Pj  .  .  .  P^  >  in  the  former  case 
ind  <  p  .  .  .  P,  >  in  the  latter  case.  We  first  prove 
a  simple  lemma  about  the  effect  of  receive  or  send  on 
knowledge:  we  show  that  certain  forms  of  knowledge 
cannot  be  lost  by  receiving  nor  gained  by  sending. 

Lemma  4:  (How  events  at  a  process  change  its 
knowledge) 

Let  6  be  a  predicate  which  is  local  to  P  and  (x.'e)  a 

computation  where  e  is  an  event  on  P. 

1.  e  is  a  receive:  {knowledge  is  not  lost} 

(P  knowa  b  at  x)  impliea  (P  knowa  b  at  (x,r)) 


2.  e  is  a  send:  {knowledge  is  not  gained} 

(P  knows  b  at  (x,t))  implies  (F  knows  b  at  x) 

3.  e  is  an  internal  event:  (knowledge  is  neither 
lost  nor  gained) 

(P  knows  b  at  x)  ^  (P  knows  b  at  (x,-e)) 

a 

Proof:  We  prove  only  (1).  Consider  any  z  such 
that  (jr.-e)  [P]  z.  We  will  show  b  at  z  and  hence  it 
follows  that  P  knows  b  at  (x;e). 

Since  s  |  P  ]  s,  we  have  (x;e)  ( P  P  |  z. 

From  theorem  3,  since  e  is  a  receive,  z  [PP|  z. 
Since  b  is  local  to  P, 

P  knows  b  =  P  knows  P  knows  b. 

From  theorem  4, 

(P  knows  P  knows  6  at  z,  z  ( P  P  ]  s)  implies 
(P  knows  b  at  s) 

(P  knows  b  at  z)  implies  {b  at  z) 

This  completes  the  proof. 

0 

CoroIUry:  (6  is  local  to  P,  -“-P  knows  b  at  x,  P 
knows  b  at  y,  X  <  y)  implies  (P  receives  a  message  in 
{*.  »))• 

□ 

Corollary:  (i  is  local  to  P,  P  knows  b  at  x, 
— P  knows  b  at  y,  X  <  y)  implies  (P  sends  a  message 
in  (z,  y)). 

□ 

Theorem  S:  (How  Knowledge  Is  Gained:) 
Let  z,  y  be  computations  where  z  <  y, 
~(P^  knows  b)  at  x  and  (Pj  knows  ■  •  •  P„  knows  b) 
at  y,  for  arbitrary  process  sets  Pj  .  .  .  P^,  n  >  1. 
Then  there  is  a  process  chain  <P^  . . .  Py>  in  (z,  y). 

'Turtbermore,  if  ft  is  local  to  P_  then  P_  has  a  receive 
event  in  (z,  y)  such  that  b  at  z  holds  for  every  prefix  z 
of  y  which  includes  the  corresponding  send  event. 

□ 


Theorem  8:  (How  Knowledge  Is  Lost:) 

Let  z,  y  be  computations  where  z  <  y, 
P.  knows  . . .  P  knows  b  at  x  and  — P  knows  b  at 
y,  for  arbitrary  process  sets  P^.  .  .P^,n  >  1.  Then 
there  is  a  process  chain  <Pj  .  .  .  P„>  in  (z,  y). 
Furthermore,  if  b  is  local  to  P  then  P  has  a  send 
event  in  (z,  y). 

□ 

Observe  that  the  statements  of  the  two  theorems 
are  not  entirely  symmetric  for  receive  and  send 
events.  The  reason  is  that  every  computation 
including  a  receive  must  also  include  the 
corresponding  send,  but  not  conversely. 

Theorems  4,  5,  6  and  their  corollaries  hold  with 
knows  replaced  by  sure. 

5.  Applications  Of  The  Results 

We  sketch  a  few  applications  of  the  theory 
developed  so  far.  A  full  treatment  of  these  results 
may  be  found  in  [  8  J. 

We  show  that  it  is  impossible  for  process  P  to 
track  the  change  in  value  of  a  local  predicate  of  P, 
exactly  at  all  times;  P  must  be  unsure  about  the  value 
of  this  predicate  while  it  is  undergoing  change.  We 
also  show  that  necessary  condition  for  changing  a 

local  predicate  6  of  7,  is  that  7  knows  P  unsure  6,  at 
the  point  of  change. 

Traditional  techniques  for  process  failure  detection 
based  on  timeouts  assume  certain  execution  speeds 
for  processes  and  maximum  delays  for  message 
transfer.  It  is  generally  accepted  that  detection  of 
failure  is  impossible  without  using  time-outs,  a  fact 
that  we  prove  formally.  We  use  the  fact  that  failure 
of  a  process  is  local  to  the  process  and  the  process 
does  not  send  messages  after  its  failure;  hence  other 
processes  remain  unsure  at  all  poiflV  about  a  process 
failure. 


We  show  that  any  algorithm,  which  detects 
termination  of  an  underlying  computation,  requires  at 
least  as  many  overhead  messages,  in  general,  for 
detection  as  there  are  messages  in  the  underlying 
computation.  first  show  that  in  order  for 

termination  to  be  detected,  an  overhead  message  is 
sent  by  some  process,  without  its  first  receiving  a 
message,  after  the  underlying  computation  terminates; 
this  fact  is  proven  directly  from  the  theorem  of 
knowledge  gain,  because  detecting  termination 
amounts  to  gaining  knowledge. 

Next  we  show  that  a  process  is  sometimes  required 
to  send  an  overhead  message  even  when  the 
underlying  computation  has  not  terminated,  because 
the  computation  may  be  isomorphic  (with  respect  to 
this  process)  to  a  computation  in  which  the 
underlying  computation  has  terminated.  Using  these 
two  results,  we  construct  a  computation,  in  which  the 
number  of  overhead  messages  is  at  least  as  many  as 
the  number  of  underlying  messages. 

0.  Discussion 

We  have  shown  that  isomorphisms  between  system 
computations  with  respect  to  a  process  is  a  useful 
concept  in  reasoning  about  distributed  systems. 
Isomorphism  forms  the  basis  for  defining  and  deriving 
properties  about  knowledge.  "Scenarios*  have  been 
used  [  7  I  to  show  impossibility  of  solving  certain 
problems;  in  our  context,  a  scenario  is  a  computation, 
and  isomorphism  is  the  formal  treatment  of 
equivalence  between  scenarios.  Theorems  on 
knowledge  transfer  provide  lower  bounds  on  numbers 
of  messages  required  to  solve  certain  problems.  We 
have  used  isomorphism  as  the  basis  of  fusion  theorem 
and  related  isomorphism  to  semantics  of  send,  receive 
and  internal  events. 

A  number  of  generalizations  of  this  work  are 
possible:  we  can  define  isomorphism  based  on  states 
of  processes,  rather  than  computations;  we  can 
introduce  the  notion  of  time  into  computations;  we 


can  define  belief  in  terms  of  isomorphism.  Most  of 
the  results  in  this  paper  are  applicable  in  the  first  case 
but  not  in  the  other  two  cases. 

Acknowledgement:  We  are  indebted  to  Shmuel 
Katz,  Joe  Halpern,  E.W.  Dijkstra  and  Bengt  Jonsson 
for  their  comments.  Particular  thanks  go  to  Ernie  ' 
Cohen  for  a  careful  reading  of  the  manuscript  and 
insightful  comments. 


This  work  was  supported  in  part  by  a  grant  from  the 
Office  of  Naval  Research  under  N00014-85*K-0057. 


REFERENCES 

1.  K.  M.  Chandy  &  J.  Misra:  "Drinking 
Philosophers  Problem",  TOPLAS,  October 
1084. 

2.  M.  J.  Fischer,  N.  Lynch  k  M.  Paterson, 
"Imposaibility  of  Distributed  Consensus 
with  one  Faulty  Process”,  Journal  of  the 
ACM,  April  1085. 

3.  J.  Y.  Halpern  k  Y.  Moses:  "(Knowledge 
And  Common  Knowledge  In  A  Distributed 
Environment”,  ACM  SIGACT-SIGOPS 
Sympoeium  on  Prineiplee  of  Distributed 
Computing,  Vancouver,  Canada,  August 
1084. 

4.  J.  Hintikka:  "Knowledge  and  Belief", 
Cornell  University  Press,  1062. 

5.  L.  Lamport:,  "Time,  Clocks  and  the 
Orderings  of  Events  in  a  Distributed 
System",  Communications  of  the  ACM, 
Vol.  21,  No.  7,  pp.  558>564,  July  1078. 

0.  D.  Lehmann,  "Knowledge,  Common 
Knowledge,  and  Related  Puzzles",  ACM 
SIGACT-SIGOPS  Symposium  of 
Principles  of  Distributed  Computing, 
Vancouver,  Canada,  August  1084. 

7.  N.  Lynch  k  M.  Fischer,  "A  Lower  Bound 
for  the  Time  to  Assure  Interactive 
Consistency",  Information  Processing 
Letters,  Vol.  14,  No.  4,  June  1082. 

8.  K.  M.  Chandy  k  Jayadev  Misra,  "How 
Processes  Learn",  Distributed  Computing, 
Vol.  1,  No.  1,  January  1086,  (Published  by 
Springer  Verlag). 


214 


Distributed  Computing  ( 1986)  1 : 40-52 


©IMSDIMMI) 


C  Springer-Verlag  1986 


How  processes  learn 

K.M.  Cbandy  and  Jayadev  Misra 

Department  of  Computer  Sciences.  University  of  Texas  at  Austin.  Austin.  TX  78712.  USA 


Jayatlev  Misra  is  a  professor 
in  the  Department  of  Com¬ 
puter  Sciences  at  the  Unicer- 
sity  of  Texas  at  Austin.  His 
primary  research  interests  are 
in  the  area  of  distributed  com¬ 
puting:  specification  and  de¬ 
sign  of  networks  of  usvn- 
chronous  components.  He  be- 
lieces  that  sound  practical 
techniques  must  be  based  on 
elegant  theories. 


Mani  Chandy  is  a  professor 
of  Computer  Science  and 
Electrical  Engineering  at  the 
University  of  Texas  at  Austin. 
He  is  chairman  of  the  Com¬ 
puter  Sciences  Department. 
His  research  interests  are  in 
distributed  systems  and  per¬ 
formance  analysis. 


1  Introduction 

Processes  in  distributed  systems  communicate 
with  one  another  exclusively  by  sending  and 
receiving  messages.  A  process  has  access  to  its 

Offprint  requests  to:  K.M.Chandy 

This  work  was  supported  in  part  by  a  grant  from  the 
Office  of  Naval  Research  under  N 000 1 4-8 5- K -005 7 


State  but  not  to  the  states  of  other  processes. 
Many  distributed  algorithms  require  that  a  pro¬ 
cess  determine  facts  about  the  overall  system 
computation.  In  anthropomorphic  terms,  pro¬ 
cesses  “learn"  about  states  of  other  processes  in 
the  evolution  of  system  computation.  This  pa¬ 
per  is  concerned  with  how  processes  learn.  We 
give  a  precise  characterization  of  the  minimum 
information  flow  necessary  for  a  process  to  de¬ 
termine  specific  facts  about  the  system. 

The  central  concept  in  our  study  is  that  of 
isomorphism  between  system  computations  with 
respect  to  a  process:  two  system  computations 
are  isomorphic  with  respect  to  a  process  if  the 
process  behavior  is  identical  in  both.  In  anthro¬ 
pomorphic  terms,  "system  computations  are 
isomorphic  with  respect  to  a  process"  means 
the  process  cannot  distinguish  between  them. 

Many  correctness  arguments  about  distrib¬ 
uted  systems  have  the  following  operational  fla¬ 
vor:  “1  will  send  a  message  to  you  and  then 
you  will  think  that  I  am  busy  and  so  you  will 
broadcast...".  Such  operational  arguments  are 
difficult  to  understand  and  error  prone.  The 
basis  for  such  operational  arguments  is  usually 
a  “process  chain”:  a  sequence  of  message  trans¬ 
fers  along  a  chain  of  processes.  We  advocate 
nonoperational  reasoning.  The  basis  for  non- 
operational  arguments  is  isomorphism;  we  re¬ 
late  isomorphism  to  process  chains.  Algebraic 
properties  of  system  computations  under  iso¬ 
morphism  provide  a  precise  framework  for  cor¬ 
rectness  arguments. 

It  has  been  proposed  [3,  6]  that  a  notion  of 
"knowledge"  is  useful  in  studying  distributed 
computations.  In  earlier  works,  knowledge  is 
introduced  via  a  set  of  axioms  [4],  Our  defini¬ 
tion  of  knowledge  is  based  on  isomorphism. 
Our  model  allows  us  to  study  how  knowledge 


K.M.  Chandy  and  J.  Misra;  How  processes  learn 


41 


I 


(V. 


•  t 


C-C/ 


is  “gained”  or  “lost".  One  of  our  key  theorems 
states  that  knowledge  gain  and  knowledge  loss 
both  require  sequential  transfer  of  information: 
if  process  q  does  not  know  fact  b  and  later,  p 
knows  that  q  knows  b,  then  q  must  have  com¬ 
municated  with  p,  perhaps  indirectly  through 
other  processes,  between  these  two  points  in  the 
computation:  conversely,  if  p  knows  that  q 
knows  b  and  later,  q  does  not  know  b  then  p 
must  have  communicated  with  q  between  these 
two  points  in  the  computation.  In  the  first  case, 
the  effect  of  communication  is  to  inform  p  of  q's 
knowledge  of  b.  Analogously,  in  the  second 
case,  the  effect  of  communication  is  to  inform  q 
of  p's  intention  of  relinquishing  its  knowledge 
(that  q  knows  b).  Generalizations  of  these  re¬ 
sults  for  arbitrary  sequences  of  processes  are 
stated  and  proved  as  corollaries  of  a  general 
theorem  on  isomorphism. 

We  use  the  results  alluded  to  in  the  last 
paragraph  for  proving  lower  bounds  on  the 
number  of  messages  required  to  solve  certain 
problems.  We  show,  for  instance,  that  there  is 
no  algorithm  to  detect  termination  of  an  under¬ 
lying  computation  using  only  a  bounded  num¬ 
ber  of  overhead  messages. 

2  Model  of  a  distributed  system 

A  distributed  system  consists  of  a  finite  set  of 
processes.  A  process  is  characterized  by  a  set  of 
process  computations  each  of  which  is  a  finite 
sequence  of  events  on  that  process.  Process 
computations  are  prefix  closed,  i.e.  all  prefixes 
of  a  process  computation  are  also  process  com¬ 
putations  (of  that  process).  An  event  on  a  pro¬ 
cess  is  either  a  send,  a  receive  or  an  internal 
event.  A  send  event  on  a  process  corresponds  to 
sending  a  message  to  another  process.  A 
receive  event  on  a  process  corresponds  to  re¬ 
ception  of  a  message  by  the  process.  There  is 
no  external  communication  associated  with  an 
internal  event.  For  a  set  of  processes  P.  a  send 
event  by  P  is  a  send  event  by  some  component 
process  of  P  to  a  process  outside  P;  similarly  a 
receive  event  by  P  denotes  receipt  by  some 
process  in  P  of  a  message  sent  from  outside  P. 
Communication  among  processes  in  P  are  in¬ 
ternal  events  of  P.  We  use  “e  is  on  P".  for  event 
e  and  process  set  P.  to  denote  that  e  is  an  event 
on  some  process  in  P.  We  rule  out  processes 
which  have  no  event  in  any  computation.  We 
assume  that  all  events  and  all  messages  are 


distinguished;  for  instance,  multiple  occurrences 
of  the  same  message  are  distinguished  by  affix¬ 
ing  sequence  numbers  to  them. 

Let  z  be  any  sequence  of  events  on  com¬ 
ponent  processes  of  a  distributed  system.  The 
projection  of  2  on  a  component  process  p.  de¬ 
noted  by  2p.  is  the  subsequence  of  2  consisting 
of  all  events  on  p.  A  finite  sequence  of  events  2 
is  a  system  computation  of  a  distributed  system 
means  (1)  for  all  processes  p.  is  a  process 
computation  of  p  and.  (2)  for  every  receive 
event  in  2.  say  receipt  of  message  m  by  process 
p,  there  is  a  send  event,  of  sending  m  to  p. 
which  occurs  earlier  than  the  receive  in  2;  this 
send  event  will  be  called  the  send  event  corre¬ 
sponding  to  the  receive.  We  leave  it  to  the  re¬ 
ader  to  show  that  system  computations  are  pre¬ 
fix  closed. 

In  this  paper  we  consider  a  single  (generic) 
distributed  system.  For  instance,  when  we  say 
“2  is  a  computation"  we  mean  that  2  is  a  com¬ 
putation  of  the  distributed  system  considered 
here.  We  use  computation  to  mean  system  com¬ 
putation  when  no  confusion  can  arise. 

Notation.  We  use  .x.  y.  2  to  denote  compu¬ 
tations.  p.  q  for  processes  and  P.  Q  for  process 
sets;  these  symbols  may  be  used  with  subscripts 
or  superscripts.  The  concatenation  of  two  se¬ 
quences  y  and  2  will  be  denoted  by  (y;  2).  For 
sequences  y  and  2.  yg2  denotes  that  y  is  a 
prefix  of  2;  in  this  case  (y,  2)  denotes  the  suffix 
of  2  obtained  by  removing  y  from  2.  The  empty 
sequence  will  be  denoted  by  null.  The  symbol 
=  is  used  to  denote  equalities  among  sets  and 
among  predicates.  The  symbol  =  is  used  for 
definitions.  The  set  of  all  processes  in  the  sys¬ 
tem  will  be  denoted  by  D  and  for  any  process 
set  P,  P  =  D-P. 


3  Isomorphism 

We  define  relation  [p]  on  the  set  of  system 
computations  as  follows. 

Dejinition.  For  system  computations  .v.y: 
.x[p]  ys(.Xp  =  yp). 

In  other  words.  .x[p]y  means  p's  computation 
is  the  same  in  system  computations  .x  and  y.  In 
this  case,  we  say  .x,  y  are  isomoqiluc  with  respect 
to  p.  For  a  process  set  P.  define  relation  [P].  on 
the  system  computations,  as  follows. 


42 


K.M.  Chundy  and  J.  Misra:  How  processes  learn 


Definition.  .v[P]ys  for  all  p  in  P,  .x[>]y. 

Thus  .v[P]y  means  that,  given  only  the  com¬ 
putations  of  processes  in  P  we  cannot  dis¬ 
tinguish  .v  from  y.  From  definition,  x[{  }]y,  for 
all  computations  .x,y  where  {  }  denotes  the 
empty  set.  Observe  that  [P]  is  an  equivalence 
relation. 

It  is  convenient  to  represent  all  such  iso¬ 
morphism  relations  by  an  isomorphism  diagram: 
an  undirected  labelled  graph  whose  vertices  are 
computations  and  there  is  an  edge  labelled  [P] 
between  vertices  .x,  y  if  P  is  the  largest  set  of 
processes  for  which  .x[P]y.  Observe  that  every 
vertex  has  a  self  loop  labelled  [D]  where  D  is 
the  set  of  ail  processes  in  the  system.  Note  that 
.X  [D]  y,  X  +  y.  implies  y  is  a  permutation  of  .x. 

Example  1.  Consider  a  system  with  two  pro¬ 
cesses,  p  and  q,  for  which  part  of  the  isomor¬ 
phism  diagram,  showing  the  relationships 
among  four  system  computation,  is  given 
low. 

From  the  diagram  .x[p]y,  but  not  .x[<?]y.  This 
means  p  has  the  same  computations  in  both  .x 
and  y,  whereas  q's  computations  in  .x  and  y 
differ.  Computations  .x  and  z  have  the  same 
computations  for  both  p  and  q\  hence  one  is  a 
permutation  of  the  other.  There  is  no  direct 
relationship  between  y  and  w;  neither  y[p]u' 
nor  y[^]  w  holds.  However,  there  is  an  indirect 
relationship  between  y  and  w  because  y[p]r 
and  r[y]»v.  We  explore  such  indirect  relation¬ 
ships  next.  □ 

Definition.  Let  n>0  and  be  process  sets. 

Og/gn. 

'(lP»  -  Pn]  =  =  xlPo  -  Pn-i'\y  and  y[PJr,  for 
some  computation  y. 


Fig.  I.  An  isomorphism  diagram 


Hence,  [PC]  =  [P]°[Q]  where  “o”  is  the  re¬ 
lational  composition  operator.  This  operator  is 
associative  (from  properties  of  relations).  In 
terms  of  the  isomorphism  diagram,  x\_Pq...  PJz 
means  there  is  a  path  from  .x  to  z  whose  edges 
are  labelled  with  Qo,‘--,Qn^  respectively,  where 
Qi^Pi,  for  all  /. 

Example  I  (contd.).  We  have  y[pq'\w  and 
H[^p]y.  Also,  trivially,  y[<?p]r.  ylqpq]:. 
etc.  □ 

We  note  some  properties  of  isomorphism 
relations.  In  the  following.  P,  P^ . P„,  Q,  de¬ 

note  arbitrary  process  sets  and  .x,  y,  z  denote 
arbitrary  computations. 

1.  [P]  is  an  equivalence  relation. 

2.  (Substitution)  ([^]  =  [P])  implies  ([a/?-/] 
=  [adv])  for  arbitrary  sequences  of  process 
sets  a,  P,  7.  S. 

3.  (Idempotence)  [PP]  =  [P] 

4.  (Reflexivity)  .x[P, ...  /ii].x 

5.  (Inversion)  .x[P, . . .  PJ  y  =  y  [P,  • .  •  P, ]  x 

6.  (Concatenation)  For  0<m<n, 
3y:-x[P....PJy,y[P..,...P.]2 
=  .x[P....P„P„,,...PJz 

7.  [Pue]  =  ([P]n[Q]) 

8.  (e2P)=([e]c[P]) 

9.  (p=e)=([p]=[e]) 

10.  Q^P  implies  ([eP]  =  [P]  =  [Pe]) 

These  properties  follow  from  properties  of 
relations  and  our  model.  We  only  sketch  a 
proof  of  one  part  of  property  8: 

W^IP'\)  implies  [Q^P). 

If  Q^P  then  there  is  a  process  p  in  P-Q. 
From  our  model,  p  has  an  event  e  in  some 
computation  (.x;e).  Then  .x[Q](.x:e)  and 
-.x[P](.x;e).  Hence  [C]$[P]. 

3.1  Process  chains 

As  noted  in  the  introduction,  the  basis  for 
many  operational  arguments  are  process 
chains;  process  p  informing  q  which  in  turn, 
informs  r  etc.  One  of  our  goals  is  to  replace 
such  concepts  by  algebraic  properties  of  system 
computations.  In  this  section  we  show  how 
process  chains  are  related  to  isomorphism.  We 
first  define  proces  chains;  this  definition  is 
along  the  lines  suggested  by  Lamport  [5]. 

Definition.  For  events  e,  e'  in  a  computation  z, 
e-^e'  means; 


K.M.  Chandy  and  J.  Misra:  How  processes  learn 


43 


1.  e'  is  a  receive  and  e  is  the  corresponding  send, 
or 

2.  events  e,  e  are  in  the  same  process  com¬ 
putation  and  {e  —  e'  or  e  occurs  earlier  than 
e  ),  or 

3.  there  exists  an  event  e"  such  that  e-^e"  and 

For  brevity  we  write  e—*e'  when  the  com¬ 
putation  z  is  understood  from  context.  We  will 
write  as  shorthand  for 

and. ..and  Observe  that  e—*e 

for  every  event  e  in  z.  A  computation  z  has  a 
fjwess  chain  </^P,  means  there  exist 

events  e^,  not  necessarily  distinct,  in  z 

such  that  event  is  on  Pj,  for  all  0^/^n,  and 

Observation  I.  Any  occurrence  of  “P”  in  a  pro¬ 
cess  chain  may  be  replaced  by  “PP”,  or  vice 
versa,  since  for  any  event  e  on  P,  e-*e. 

Observation  2.  Let  .x  be  a  sequence  consisting  of 
a  subset  of  events  from  a  computation  .v.  Sup¬ 
pose  that  for  every  event  e  in  .x:  every  e’,  where 
e'-^e,  is  also  in  .x,  and  e'-^e.  Then  .x  is  a 
computation. 

3.2  Relationship  between  isomorphism 
and  process  chain 

Theorem  1.  (Fundamental  theorem  of  process 
chains).  Let  z  be  a  computation  and  x  a  prefix  of 
z.  Let  P,,  P2...P„,  n^l,  be  sets  of  processes. 
Then  -xrPP, ...  P]  z  or  there  is  a  process  chain 
<P,P2...P,>/n(.x,z).  □ 

Proof.  Assuming  that  there  is  no  process  chain 
<P,  in  (.x,z),  we  show  that  .x[P, ... /J]  z. 

Proof  is  by  induction  on  n.  For  n=l,  absence 
of  a  process  chain  <P,>  in  (.x,z)  means  that 
there  is  no  event  on  P^  in  (.x,z)  and  hence 
.x[P,]z.  For  «>  1,  we  show  that  there  is  some  y, 
.X  g  .v,  such  that  there  is  no  process  chain 
<P, ...  ,>  in  (.x,y)  and  >  [/J]  z;  the  result  then 

follows  by  inductive  argument. 

Let  £  be  the  subsequence  of  events  in  (.x,z) 
consisting  of  the  set  of  events  {e\e-»e'  where  e 
is  in  (x,z)  and  e'  is  some  event  on  /*}.  Let  >• 
=  (x;  £).  First,  we  show  that  if  ei-^e2  and  fj 
is  in  y  then  e,  is  also  in  y  and  e^-^e2^,  this 
guarantees  (from  observation  2)  that  ,v  is  a  com¬ 
putation.  This  result  follows  trivially  when  Cj  is 
in  .X.  If  ^2  is  in  (,x.z)  then  e2-^e',  for  some 


event  e'  on  P„  and  hence  Ci-^e'  and  therefore 
e^  is  in  y,  the  relative  order  between  e^.  ^2  is 
maintained  by  our  construction. 

Next,  we  show  that  y[/i]z;  that  is,  every 
event  on  P„  that  is  in  z  is  also  in  y.  This  follows 
trivially  for  events  on  P„  that  are  in  .x.  Let  e'  be 
an  event  on  P^  that  is  in  (x,z).  Since  e'-*e',  e'  is 
also  in  £  and  hence  in  y. 

Finally,  we  show  that  there  is  no  process 
chain  <P, in  (.x,y)-  If  there  is  such  a 
process  chain,  consider  its  last  event  e.  Accord¬ 
ing  to  our  construction,  event  chain  e-*e'  exists 
in  (.x,z),  where  e'  is  some  event  on  P„.  Hence 
there  is  a  process  chain  <P,  in  (.x.z),  con¬ 
tradicting  our  assumption.  □ 

We  note  that  the  two  conditions  in  the  last 
sentence  of  the  theorem  are  not  exclusive.  Con¬ 
sider  two  computations  z,  z'  where 

z  is  <P  sends  m  to  R;  R  receives  m 
from  P;  R  sends  m'  to  Q; 

Q  receives  m'  from  P>, 

z  is  <R  sends  m'  to  Q\Q  receives  m'  from  R> 

In  z,  though  there  is  a  process  chain  (PRQ). 
there  is  not  a  "true”  dependence  from  P  to  R 
to  Q:  R  sends  m'  to  Q  independent  of  receiving 
m  from  P  (as  shown  in  z  ).  Note  that  null  [P]  z' 
and  z’  [g]  z.  and  hence  null  [P^]  ^  though 
(mm//,z)  has  a  process  chain  (PQ}. 

3.3  An  application  of  isomorphism: 
how  to  construct  a  computation 
by  fusing  separate  ones 

In  this  section,  we  show  an  application  of  iso¬ 
morphism:  we  give  a  construction  to  "fuse” 
two  computations  to  obtain  a  new  compu¬ 
tation.  provided  certain  types  of  paths  exist  in 
the  isomorphism  diagram.  We  motivate  the  dis¬ 
cussion  by  the  following  observations.  Suppose 
(x;£)  and  (x;£)  are  computations  where  all 
events  in  £  are  on  a  process  set  P  and  all 
events  in  £  are  on  P.  Then,  from  definition. 
(x:£;£)  and  (x;£:£)  are  also  computations,  be¬ 
cause  events  in  £,  £  are  independent  and  hence 
may  be  fused  in  arbitrary  order.  A  similar  re¬ 
sult  appears  in  Fischer  et  al.  [2].  The  following 
lemma  is  a  generalization  of  this  obervation. 

Lemma  1.  Let  x.y.z  he  computations  where 
x^y  and  x^z.  Let  P.Q  he  suck-^iat  PkjQ  =  D. 
x[P]  y  and  x[Q]z.  Then  there  exists  a  com- 
putation  w  where  x^w.  y[Q]  w  and  z[P]  u-.  □ 


44 


K.M.  Chandy  and  J.  Misra;  How  processes  learn 


Fib.  2.  Isomorphism  diagram  depicting  fusion 

The  relationships  among  x,y.z  and  w  are 
represented  by  the  following  commutative  iso¬ 
morphism  diagram. 

Proof.  Let  u  =.x;  (.x.y); 

From  the  condition  of  the  lemma,  (.x.  y)  has 
^ents  only  on  P  and_(.x,_r)  has  events  only  on 
Q.  Since  PyjQ  =  D,  Pr\Q  =  {  }  and  hence  no 
process  has  events  in  both  (.x.y)  and  (.x.r).  It 
follows,  from  definition  of  computations,  that  w 
is  a  computation.  Also  y[C]»v,  r[P]H'  and 
x  g  IV.  as  required  for  proof  of  the  lemma.  □ 

Note  that,  in  the  construction  of  Lemma  1. 
all  events  from  £  and  £  were  present  in  the 
fused  computation.  We  prove  a  far  more  gener¬ 
al  result  below.  We  show  that  for  any  two 
arbitrary  computations  y  and  z,  the  projected 
computations,  y,  and  Zp,  may  be  fused  to  form 
a  new  computation  provided  there  is  a  com¬ 
putation  X  which  is  a  prefix  of  both  y  and  z, 
and  no  message  sent  by  P  in  (x.y)  is  received 
by  P  in  (x,  y)  ai^  no  message  sent  by  P  in  (x,  z) 
is  received  by  P  in  (x,  z).  This  makes  intuitive 
sense;  processes  in  P  can  execute  ail  events  in  y 
given  only  that  processes  in  P  execute  all  events 
up  ^o  X  and  similarly  for  executions  of  events 
on  P  up  to  z.  However,  the  statement  and  proof 
of  this  result  are  difficult  without  the  notion  of 
isomorphism.  We  note  that  the  result  may  be 
easily  generalized  to  fusions  of  arbitrary  num¬ 
bers  of  computations  under  similar  constraints. 

Theorem  2.  (Fusion  of  computations).  Consider 
system  computations  x,  y,  z  where  x  ^  y  and  x  g  z. 
Let  P  be  a  set  of  processes  such  that  there  is  no 
process  chain,  (1)  <PP>  in  (.x,  y)  and  (2)  <PP>  in 


Fig.  3.  Diagramatic  representation  of  fusion  theorem 


/  \ 


Fig.  4.  Intermediate  step  in  fusion  theorem 

(x,  z).  Then  there  is  a  computation  w  where, 
x^w,  y  IPI  w  and  z[P]vv’.  That  is,  w  consists  of 
all  events  on  P  from  y  and  all  events  on  P  from 
2.  □ 

Proof.  According  to  Theorem  1,  absence  of  pro¬ 
cess  chains  as  given  in  this  theorem  means  that, 
x[PP]y  and  x[PP]z. 

The  theorem  asserts  the  existence  of  the  iso¬ 
morphism  diagram  in  Fig.  3.  To  prove  that 
such  a  H’  exists,  label  the  intermediate  point 
between  x,  y  as  ii  and  between  x,  z  as  v  in  this 
figure.  Now  we  apply  Lemma  1  to  x,  u.  v  to 
obtain  a  iv,  as  given  in  Fig.  4. 

Now  u[P]  y  and  u[P]  iv;  hence  y[P]  w.  Sim¬ 
ilarly  z[P]w.  This  proves  the  theorem.  Rela¬ 
tionships  among  x,  y.  z.  u,  v,  w  are  shown  in 
Fig.  5.  □ 

The  fusion  theorem  is  used  later  to  obtain 
lower  bounds  on  the  number  of  messages  re¬ 
quired  to  solve  certain  problems. 


K.M.  Chandy  and  J.  Misra:  How  processes  learn 


45 


jr 


Fig.  5.  Isomorphism  diagram  depicting  proof  of  fusion 
theorem 

3.4  Semantics  of  event  types  in  terms 
of  isomorphism 

We  now  use  isomorphism  to  state  and  derive 
some  important  facts  about  various  types  of 
events.  First,  note  that  a  process  carries  out  an 
internal  event  or  sends  a  message  depending  on 
its  own  computation  alone.  Therefore,  if  a 
process  takes  such  a  step  in  a  computation  x,  it 
will  also  do  so  in  y.  if  x.  y  are  isomorphic  with 
respect  to  this  process.  An  analogous  result 
holds  for  internal  and  receive  events.  The  fol¬ 
lowing  principle,  which  states  these  facts  for¬ 
mally,  may  be  proven  from  the  definition  of 
System  computation. 

Principle  of  computation  extension: 

Let  e  be  an  event  on  P. 

1.  e  is  an  internal  or  send  event:  (x[P]y  and 
(x;e)  is  a  computation)  implies  (y;e)  is  a  com¬ 
putation. 

2.  e  is  an  internal  or  receive  event:  (x;e)[P]y 
implies  {y  —  e)  is  a  computation,  where  (y  — e)  is 
the  sequence  obtained  by  deleting  e  from  y.  □ 

Note.  In  (1).  (x;e)[P]  (y;e)  and  in  (2),  x[P](y 
-e). 

Corollary.  Let  e  be  a  receive  event  on  P  and  let 
the  corresponding  send  event  be  on  Q. 

(x[PuQ]y  and  {x:e)  is  a  computation)  implies 
(y;  e)  is  a  computation.  □ 

Proof,  e  is  an  internal  event  of  Pu  Q.  □ 

The  following  theorem  follows  from  the  prin¬ 
ciple  of  computation  extension. 


Tlieorem  3.  Let  (x.  e)  be  a  computation  where  e 
is  an  event  on  P. 

Case  I.  e  is  a  receive: 

for  every  z:  (x;c)  [PP]r  implies  x[PP]r 

Case  2.  e  is  a  send: 

for  every  z:x[PP]  z  implies  (x;e)[PP]r 

Case  3.  e  is  an  internal  event  : 

for  every  z:  (x;e)[PP]z  =  x[PP]z  □ 

Proof.  We  will  prove  only  Case  2;  other  cases 
are  similarly  proven. 

x[PP]z  implies  there  exists  v.  x[P]\’  and 
y[P]z. 

From  principle  of  computation  extension.  (y:f) 
is  a  computation  and  (x;e)  [P]  (y:e).  Also. 
(y:e)[PLv.  Hence,  (x;e)[PP]z,  and  therefore. 
U;e)[PP]z.  □ 

This  theorem  captures  the  intuitive  notion 
that  the  set  of  possible  computations,  isomor¬ 
phic  with  respect  to  P,  can  only  shrink  in  size 
as  a  result  of  a  reception  as  computations 
which  do  not  include  the  corresponding  send 
are  ruled  out.  Similarly,  the  set  of  possible  com¬ 
putations,  isomorphic  with  respect  to  P  cannot 
shrink  as  a  result  of  a  send:  after  the  send, 
additional  computations  which  accept  the  mes¬ 
sage  sent  are  isomorphic  while  all  prior  isom¬ 
orphic  computations  remain  isomorphic.  An  in¬ 
ternal  event  can  neither  expand  nor  shrink  the 
set  of  isomorphic  computations. 

4  Knowledge 

As  we  have  remarked  earlier,  predicates  of  the 
type  P  knows  b  at  x  may  be  defined  using 
isomorphism.  We  explore  properties  of  such 
predicates  in  our  model.  We  show  that  they 
satisfy  the  “knowledge  axioms’*  as  given  in 
[3.6].  We  prove  a  general  result  which  shows 
that  certain  forms  of  knowledge  can  only  be 
gained  or  lost  in  a  sequential  fashion  along  a 
chain  of  processes.  That  is.  if  b  is  false  for  a 
computation  and  later.  knows  P  knows ...  P„ 
knows  b  (this  represents  knowledge  gain),  then 
there  is  a  process  chain  , ...  f{>  between 

these  two  points  of  the  computation.  Con¬ 
versely.  if  /]  knows  p2  knows  .7rP„  knows  b  and 
later,  b  is  false  (this  represents  knowledge  loss), 
then  there  is  a  process  chain  <P,  Pj.../^,)  be¬ 
tween  these  two  points  of  the  computation. 


46 


iC.Vf.  Chandy  and  J.  Misra:  How  processes  learn 


Crucial  to  our  work  is  the  notion  of  local 
predicates:  a  predicate  local  to  p  can  change  in 
value  only  as  a  result  of  events  on  p.  We  show 
that  local  predicates  play  a  key  role  in  under¬ 
standing  knottJedge  predicates. 

4.1  Knowledge  predicates 

Let  b  denote  a  predicate  on  system  compu¬ 
tations  and  "b  at  .x"  its  value  for  computation 
.V.  Our  predicates  are  total,  i.e.  for  each  x,  b  at  x 
is  either  true  or  false.  We  furthermore  assume 
that  .v[D]y  implies  (b  at  x  =  b  at  y)  for  every 
predicate  b.  Thus  predicate  values  depend  only 
upon  computations  of  component  processes  and 
not  on  the  way  independent  events  are  ordered 
in  a  linear  representation  of  the  computation.  A 
predicate  c  is  a  constant  means  c  at  x  =  c  at  y, 
for  all  computations  .x,  y.  We  now  define  {P 
knows  b)  at  x. 

Definition.  (P  knows  b)  at  x  = 
for  all  y:  .x[P]  y:b  at  y 

Note  that  b  may  itself  be  a  predicate  of  the 
form  Q  knows  b'  in  the  above  definition.  We 
next  note  some  facts  about  knowledge  pre¬ 
dicates.  In  the  following,  .v,  y  are  arbitrary  com¬ 
putations,  b,b'  are  arbitrary  predicates  and  P,Q 
are  arbitrary  sets  of  processes.  All  facts  are 
universally  quantified  over  all  computations. 
We  use  the  convention  that  P  knows  Q  knows  b 
at  X  is  to  be  interpreted  as  {P  knows  (Q  knows 
h))  at  X. 

1.  P  knows  b  at  X  =  for  all  y:  x  [/*]  y:  P  knows 
b  at  y 

2.  .x[P]y  implies  [P  knows  b  at  x  =  P  knows  b 
at  y] 

3.  (P  knows  b)  implies  (PuQ  knows  b) 

4.  (P  knows  b)  implies  (b) 

5.  (P  knows  b)  or  P  knows  b) 

6.  (P  knows  b)  and  (P  knows  b')  =  P  knows  {b 
and  b') 

7.  ((P  knows  b)  or  (P  knows  b'))  implies 
(P  knows  {b  or  b')) 

8.  (P  knows  ~  b)  implies  ( ^  P  knows  b) 

9.  ((P  knows  b)  and  {b  implies  b'))  implies 
(P  knows  b') 

10.  P  knows  P  knows  b  =  P  knows  b 

1 1 .  P  knows  ~  P  knows  b=  ^P  knows  b 

12.  P  knows  c  or  P  knows  '-c.  for  any  constant  c. 

These  facts  are  easily  derivable  from  the  defini¬ 
tion  of  knows.  We  give  a  proof  of  (II),  whose 
validity  in  other  domains  have  been  que<^tioned 
on  philosophical  grounds  [3]. 


Lemma  2.  P  knows  ~  P  knows  b=  -^P  knows 
b.  □ 

Proof.  P  knows  ~  P  knows  b  at  x 
=  for  all  y;  .x[P]y:  ~P  knows  b  at  y, 
from  definition 

=  for  all  y:  .x[P]  y:  there  exists  z:  y[P]  z:  -  bat  z,_ 
from  definition 

=  there  exists  z:  .x[P]2:  -b  at  z, 
since  [P]  is  an  equivalence  relation 
=  ~  P  knows  b  at  X.  □ 

There  are  situations  where  multiple  levels  of 
knowledge  such  as,  P  knows  Q  knows  b,  are 
useful.  For  instance,  consider  a  token  bus  which 
is  a  linear  sequence  of  processes  among  which  a 
token  is  passed  back  and  forth;  processes  at  the 
left  or  right  boundary  have  only  a  right  or  left 
neighbor  to  whom  they  may  pass  the  token; 
other  processes  may  send  it  to  either  neighbor. 
There  is  only  one  token  in  the  system  and 
initially  it  is  at  the  leftmost  process.  Consider  a 
token  bus  with  five  processes  labelled  p.  q,  r,  s.  t 
from  left  to  right.  When  r  holds  the  token, 

r  knows  {{q  knows  Ip  does  not  hold  the  token)) 
and 

(s  knows  (t  does  not  hold  the  token))) 

Relations  of  the  form  [PQ],  with  multiple 
process  sets,  arise  from  predicates  with  multiple 
occurrence  of  knows; 

For  instance: 

p  knows  q  knows  b  at  z 

=  for  all  y:  .x[p]  y:  q  knows  b  at  y 

=  for  all  y:  .x[p]y:  (for  all  z:  y[^]  r:  b  at  r) 

=  for  all  z:  x[pq'\z:  b  at  z 

4.2  Local  predicates 

Let  b  be  a  predicate  on  system  computations, 
and  P  a  set  of  processes.  We  define  a  predicate 
P  sure  b  as  follows. 

Definition.  (P  sure  b)  at  x  =  ((P  knows  b)  at  x  or 
(P  knows  -b)  at  .x). 

In  other  words  (P  sure  b)  at  x  means  that  P 
knows  the  value  of  b  at  .x. 

We  define  unsure  as  negation  of  sure. 
Definition.  P  unsure  b  =  —P  sure  b. 

Hence,  (P  unsure  b)  at  x  =  [(^P  knows  b)  at  x 
and  (  ~  P  knows  -  b)  at  x]. 

Definition,  b  is  local  to  Psfor  all  x:  (P  sure  h) 
at  X. 


K.M  Chand>  and  J.  Misra;  How  processes  learn 


47 


That  is,  the  value  of  b  is  always  known  to  P. 
Local  predicates  capture  our  intuitive  notion  of 
a  predicate  whose  value  is  controlled  by  the 
actions  of  processes  to  which  it  is  local. 

We  note  the  following  facts  about  local  pre¬ 
dicates;  in  the  following,  b  is  an  arbitrary  pre¬ 
dicate  and  P.  Q  are  arbitrary  sets  of  processes. 

1.  {b  is  local  to  P  and  x[P]  v)  implies  {b  at  x  =  b 
at  y) 

2.  b  is  local  to  P  implies  (b  =  P  knows  b) 

3.  b  is  local  to  P  =  [‘^b)  is  local  to  P. 

4.  b  is  local  to  P  implies  [Q  knows  b  =  Q  knows 
P  knows  b] 

5.  (P  knows  b)  is  local  to  P. 

6.  b  is  local  to  P  and  b  is  local  to  Q  and  P,Q  are 
disjoint  implies  h  is  a  constant. 

7.  b  is  a  constant  implies  b  is  local  to  P. 

8.  (P  sure  b)  is  local  to  P. 

Proof  of  (1)  follows  from  definition  of  knowl¬ 
edge  and  local  predicates.  (2)  and  (3)  follow 
trivially.  (4)  follows  from  Q  knows  b  at  x  =  for 
all  y:  .v[Q]y:  b  at  y  =  for  all  y;  .x[Q]y;  P 
knows  b  at  y  (since  b  is  local  to  P)  =  Q  knows  P 
knows  b  at  x.  (5)  follows  from,  (P  knows  P 
knows  b  or  P  knows  ~P  knows  b)  =  (P  knows  b 
or  ~P  knows  b)  —  true.  Proof  of  (6)  is  impor¬ 
tant  and  hence  is  given  below  as  a  lemma.  (7) 
and  (8)  are  trivially  proven  from  definition. 

Lemma  3.  b  is  local  to  disjoint  sets  P.Q  implies 
b  is  a  constant.  □ 

Proof.  We  show  that  b  at  x  —  b  at  null,  for  all  x. 
Proof  is  by  induction  on  length  of  x. 

b  at  null  =  b  at  null. 

b  at  (x:e)  =  b  at  .v,  because  event  e  is  not  on  P 
or  e  is  not  on  Q.  and  hence  (x;e)[P]x  or 
(x;e)[Q]x;  then  the  result  follows  from  proper¬ 
ty  (D-  □ 

For  a  system  of  processes,  b  is  common 
knowledge  is  defined  as  the  greatest  fix  point  of 
the  following  equation. 

b  is  common  knowledge  =  b  and  (p  knows  fr) 
is  common  knowledge,  for  ail  processes  p.  In¬ 
tuitively.  b  is  common  knowledge  means  b  is 
true,  every  process  knows  b,  every  process  knows 
that  every  process  knows  b,  etc. 

Halpern  and  Moses  [3]  have  shown  that 
common  knowledge  cannot  be  gained,  if  it  was 
not  present  initially,  in  a  system  which  does  not 
admit  of  simultaneous  events.  The  following 
corollary  to  lemma  3  shows  that  common 


knowledge  can  neither  be  gained  nor  lost  in 
distributed  systems. 

Corollary.  In  a  system  with  more  than  one  pro¬ 
cess,  for  any  predicate  b,  b  is  common  knowledge 
is  a  constant.  □ 

Proof.  For  any  process  p,b  is  common  knowl¬ 
edge  =  p  knows  (b  is  common  knowledge).  Hence,  h 
is  common  knowledge  is  local  to  every  p.  Apply¬ 
ing  lemma  3,  b  is  common  knowledge  is  a  con¬ 
stant.  □ 

It  is  possible  to  show  that  even  weaker 
forms  of  knowledge  cannot  be  gained  or  lost  in 
our  model  of  distributed  systems.  Process  sets 
P,Q  have  identical  knowledge  of  b  means. 

P  knows  b  =  Q  knows  b 

Corollary.  If  P,  Q  are  disjoint  and  have  identical 
knowledge  of  b  then  P  knows  b  (and  also  Q 
knows  b)  is  a  constant.  □ 

Proof.  P  knows  b  is  local  to  P  and  Q  knows  h  is 
local  to  Q.  From  P  knows  b  =  Q  knows  b.  they 
arc  also  local  to  Q  and  P  respectively.  The 
result  follows  directly  from  lemma  3.  □ 

Corollary.  If  P,Q  are  disjoint  and  P  sure  b  =  Q 
sure  b,  then  P  sure  b  (and  also  Q  sure  b)  is  a 
constant.  □ 

4.3  How  knowledge  is  transferred 

We  show  in  this  section  that  chains  of  knowl¬ 
edge  are  gained  or  lost  in  a  sequential  manner. 

Theorem  4.  For  arbitrary  process  sets  P^....P„. 
1.  predicate  b  and  computations  .v.  y. 

(i^  knows...  P„  knows  b  at  x  and  x[/^  ... /JJ  y) 
implies  {P„  knows  b  at  y).  □ 

Proof.  Proof  is  by  induction  on  n.  For  n  =  l.  P^ 
knows  b  at  x,  x[/^]  y  implies  P^  knows  b  at  \-. 
trivially. 

Assume  the  induction  hypothesis  for  some 
n  —  1,  n  >  1.  and  assume 

P^  knows ...  P„  knows  b  at  x  and  x[f^ ...  /J]  y. 

We  shall  prove  P„  knows  b  at  y. 

From  x[/J ... /Jj  y.  we  conch»^  that  there  is 
a  such  that. 

x[/?...P„_,]randr[PJ.i. 


48 


K.M.  Chandy  and  J.  Misra:  How  processes  learn 


From  .x[/^ z  and  P^  knows ...  ,  knows 

knows  h)  at  .x,  we  conclude,  using  induction. 
P^_  j  knows  P^  knows  b  at  z.  Hence,  P„  knows  b 
at  z. 

Since  r  knows  b  at  y.  □ 

Corollary.  For  arbitrary  process  sets 

1.  predicate  b  and  computations  x,  y, 

(ij  knows ...  P„_  I  knows  knows  b  at  x  and 
[Zi .  •  •  ZJ]  >■)  implies  ~  P„  knows  b  at  y.  □ 

Note.  For  n  =  1  antecedant  is,  ~  ZJ  knows  b  at  x. 

Corollary.  Theorem  4  holds  with  knows  replaced 
by  sure  in  ''P^  knows". 

Theorem  4  can  be  applied  to  (1)  (knowl¬ 
edge  is  lost)  and  (2)  y^x  (knowledge  is  gained). 
Using  theorem  1,  we  can  deduce  that  there  is  a 
process  chain  (.P^...P„y  in  the  former  case  and 
<ZJ|...Z^>  in  the  latter  case.  We  first  prove  a 
simple  lemma  about  the  effect  of  receive  or 
send  on  knowledge:  we  show  that  certain  forms 
of  knowledge  cannot  be  lost  by  receiving  nor 
gained  by  sending. 

Lemma  4.  ( How  events  at  a  process  change  its 
knowledge  ) 

Let  b  be  a  predicate  which  is  local  to  P  and 
|x;e)  a  computation  where  e  is  an  event  on  P. 

1.  e  is  a  receive:  {knowledge  is  not  lost} 

iP  knows  b  at  X)  implies  (P  knows  b  at  (x;e)) 

2.  e  is  a  send:  [knowledge  is  not  gained} 

(P  knows  b  at  (x;e))  implies  {P  knows  b  at  x) 

3.  e  is  an  internal  event: 

{knowledge  is  neither  lost  nor  gained} 

(P  knows  b  at  x)  =  (P  knows  b  at  (x;e)).  □ 

Proof.  We  prove  only  (1).  Consider  any  z  such 
that  (x;e)[P]z.  We  will  show  b  at  z  and  hence 
it  follows  that  P  knows  b  at  (x;e). 

Since  z[P]  z,  we  have  (x;  e)[PP]  z. 

From  theorem  3,  since  e  is  a  receive,  x[PP] 
z.  Since  b  is  local  to  P, 

P  knows  b^P  knows  P  knows  b. 

From  theorem  4. 

(P  blows  P  knows  b  at  x,  x[PP]  z)  implies 
(P  knows  b  at  z) 

(P  knows  b  at  z)  implies  {b  at  z). 

This  completes  the  proof.  □ 


Corollary,  {b  is  local  to  P,  ~P  knows  b  at  x.  P 
knows  b  at  y,  xgy)  implies  (P  receives  a  message 
in  (X,  y)).  □ 

Corollary,  (b  is  local  to  P,  P  knows  b  at  .x,  ~P 
knows  b  at  y,  x^y)  implies  (P  sends  a  message  in 

(.’c.y)).  □ 

Theorem  5.  ( How  knowledge  is  gained)  Let 
x,y  be  computations  where  x^y,  ~(ZJ  knows  b) 
at  X  and  (f{  knows ...  P^  knows  b)  at  y,  for  arbi¬ 
trary  process  sets  Pi-  -P„,  n^l.  Then  there  is  a 
process  chain  <Zj| . . .  Z^  >  in  (x,  y).  Furthermore,  if 
b  is  local  to  ZJ  then  ZJ  has  a  receive  event  in 
(x,  y)  such  that  b  at  z  holds  for  every  prefix  z  of 
y  which  includes  the  corresponding  send 
event.  □ 

Theorem  6.  (How  knowledge  is  lost)  Let  x,  y 
be  computations  where  x^y,  Z?  knows...  P„ 
knows  b  at  x  and  -  ZJ  knows  b  at  y,  for  arbitrary 
process  sets  Z} ...  ZJ,  n^  1.  Then  there  is  a  process 
chain  <^...^>  in  (.x, y).  Furthermore,  if  b  is 
local  to  P^  then  ZJ  has  a  send  event  in  (x,  y).  □ 

Observe  that  the  statements  of  the  two  theo¬ 
rems  are  not  entirely  symmetric  for  receive  and 
send  events.  The  reason  is  that  every  compu¬ 
tation  including  a  receive  must  also  include  the 
corresponding  send,  but  not  conversely. 

5  Applications  of  the  results 

We  discuss  a  few  applications  of  the  theory 
developed  so  far  in  the  paper. 

5.Z  yVhen  is  a  process  unsure  about  a  predicate? 

We  show  that  it  is  impossible  for  processes  P  to 
tjack  the  change  in  value  of  a  local  predicate  of 
P,  at  all  times;  P  must  be  unsure  about  the 
value  of  this  predicate  while  it  is  undergoing 
change. 

Lemma  6.  ( IntervaJ  of  uncertainty:)  Let  b  be  a 
predicate  local  to  P.  Let,  b  at  x^b  at  (x;^)  for 
some  computation  (x;e).  Then  P  unsure  b  at  x 
and  P  unsure  b  at  (x;  e).  □ 

Proof.  Since  b  is  local  to  P  and  its  value  chang¬ 
es  as  a  result  of  event  e,  e  is  not  on  P.  There¬ 
fore.  x[P](x;e)  and  hence  P  knows  b  at  x  =  P 
knows  b  at  (x;e).  Since  h  or  x  +  b  or  (.x;e).  both 
P  knows  b  at  X  and  P  knows  b  at  (x ;  e)  are  false. 
Analogously,  P  knows  ~b  at  x  and  P  knows 


K.M.  Chandy  and  J.  Misra:  How  processes  learn 


49 


-‘b  at  (.x;e)  are  both  false.  This  completes  the 
proof.  □ 

What  does  this  lemma  imply  about  the 
event  e  on  P  which  changes  the  value  of  local 
predicate  b  of  P?  It  follows  that  P  must  be 
unsure  about  b  for  event  e  to  occur.  Further¬ 
more,  we  show  that  if  e  is  internal  or  send  then 
a  necessary  condition  for  occurrence  of  e  is  that 
P  knows  P  unsure  b  before  application  of  e. 

Theorem  7.  Let  b  be  local  to  P.  For  a  com¬ 
putation  (.x.  e),  where 

b  at  x^b  at  (x;e) 

(P  knows  P  unsure  b)  at  x,  if  e  is  an  internal  or 
send  event  on  P, 

(P  knows  P_unsure  b)  at  (x ;  e),  if  e  is  internal  or 
receive  on  P  □ 

Proof.  Consider  any  y  for  which  x[P]y'.  From 
the  principle  of  computation  extrasion,  (y;^)  is 
also  a  computation;  hence  (x;  e)[P](y;e). 

b  is  local  to  P,  hence;  b  at  x  =  b  at  y 
and,  b  at  (.x;  e)=b  at  (y,  e). 

From,  b  at  x^b  at  (x;e)  it  follows  that  ;  b 
at  y=¥b  at  0';e). 

Hence,  from  lemma  (6),  P  unsure  b  at_y. 

From  the  definition  of  knowledge,  P  knows 
P  unsure  b  at  x.  The  other  part  is  similarly 
proven.  □ 

Corollary.  Let  b  be  local  to  P.  For  a  comply 
tation  (x;e),  where  e  is  an  internal  event  on  P, 

if-. 

b  at  x  +  b  at  (x;  e) 

then  for  any  y,  x  ^  y,  where  P  has  no  send  event 
in  (x,y): 

P  knows  P  unsure  b  at  y.  □ 

Proof.  From  Theorem  7,  P  know's  P  unsure  b  at 
X.  Since  P_  sends  no  message  in  (x,  y),  from 
Lemma  4,  P  can  lose  no  knowledge  and  hence, 
P  knows  P  unsure  b  at  y.  □ 

5.2  Detection  of  process  failure  is  impossible 

Traditional  techniques  for  process  failure  de¬ 
tection  based  on  time-outs  assume  certain  exe¬ 
cution  speeds  for  processes  and  maximum  de¬ 
lays  for  message  transfer.  It  is  generally  accept¬ 
ed  that  detection  of  failure  is  impossible  with¬ 
out  using  time-outs,  a  fact  that  we  prove  for¬ 
mally. 


We  model  failure  of  P  as  follow^  Let  f  be  a 
local  predicate  of  P  denoting  that  P  has  failed 
We  assume  that  (1)  /  is  initially  false,  and  (2)  P 
may  fail  at  any  time,  i.e.  for  every  x  for  which 
~ / (x),  there  is  an  internal  event  e  on  P  such 
that  /(x;e)  and  (3)  P  sends  no  message  as  long 
as  /  holds.  Under  these  constraints,  we  show 
that  P  is  always  unsure  of  failure  of  P.  In  fact, 
we  show  that  P  knows  P  unsure  f  at  all  com¬ 
putations  y.  Note  that  we  do  not  require  failure 
to  persist,  i.e.  it  is  entirely  possible  to  have 
xgy,/(x)and  ~/(y). 

Theorem  8.  P  knows  P  unsure  f  at  3-,  for  all 

y,  □ 

Proof.  If  ~  / (y),  there  is  an  internal  ev^t  e  on 
P  such  that  fly;e).  From  Theorem  7,  P  knows 
P  unsure  f  at  y.  If  fly),  then  from  the  fact  that  / 
is  false  initially,  there  is  some  (x;e),  (x;e)^.v. 
such  that,  ~/(x)  and  /(x;e).  Without  loss  in 
generality,  we  may  assume  that  P  stays  failed 
after  U;e)  until  y.  Since  e  is  an  internal  event 
and  P  stays  failed  after  (x;e),  there  is  no  send 
event  on  P  _in  (x,  y)-  Hence,  from  corollary  to 
Theorem  7,  P  knows  P  unsure  f  at  y.  □ 

5.2  Mutual  exclusion 

Consider  a  system  of  processes  in  which  every 
process  p  has  a  local  predicate  cs^  and  for 
every  pair  of  processes  p.q  and  every  compu¬ 
tation  X,  ~(cSp  and  cs,)  at  x.  Intuitively,  cs^ 
denotes  that  p  is  in  its  critical  section  and  the 
restriction  that  no  two  processes  can  simulta¬ 
neously  be  in  their  critical  sections,  is  captured 
by  the  last  requirement.  We  show  that  in  every 
computation  of  a  solution  to  the  mutual  ex¬ 
clusion  problem  (in  our  model),  there  is  a  pro¬ 
cess  chain  <p,  ...p„>,  where  Pj  is  the  ith  process 
to  enter  its  critical  section. 

Theorem  9.  For  any  .x,  y.  x^.v.  cs^  at  x  and  cs^ 
at  V  implies  that  there  is  a  process  chain  (.pq}  in 
(x,y).  □ 

Proof.  Observe  that  cs^  implies  ^cs^,  and 
implies  Iq  knows  ^cs^).  Also,  cs,  implies  {^q 
knows  ^cs,).  Hence,  (cs  at  x)  implies  (p  knows 
q  knows  ^cs^  at  x)  and  (c5^  at  3  )  implies  (~</ 
knows  ^cs,  at  y).  The  result  follows  from  theo¬ 
rem  (6).  □ 

We  can  show,  based  on  the  observation 
given  below,  that  a  solution  to  the  distributed 


50 


K.M.  Chandy  and  J.  Misra;  How  processes  learn 


dining  philosophers  problem  appearing  in  [1] 
requires  no  more  than  twice  the  number  of 
messages  in  an  optimal  scheme.  In  the  distrib¬ 
uted  dining  philosophers  problem,  philosophers 
are  placed  at^erlices  of  an  undirected  graph 
and  one  fork  is  placed  on  each  edge.  A  philo¬ 
sopher  requires  forks  on  all  incident  edges  to 
eat  and  hence  neighboring  philosophers  cannot 
eat  simultaneously. 

Observation.  For  neighboring  philosophers  p,q, 
there  is  a  process  chain  <pq>  in  (.x,y)  where  p 
eats  at  .v,  q  eats  at  y  and  Hence  at  least 

one  message  must  be  sent  by  p  to  q  between  an 
eating  session  by  p  and  a  subsequent  eating 
session  by  q.  The  solution  in  [1]  employs  two 
messages  between  an  eating  session  by  p  and  a 
subsequent  eating  session  by  q. 

5.4  Complexity  of  termination  detection 

We  show  that  any  algorithm  which  detects  ter¬ 
mination  of  an  underlying  computation  re¬ 
quires  at  least  as  many  overhead  messages,  in 
general,  for  detection  as  there  are  messages  in 
the  underlying  computation.  We  prove  our  re¬ 
sult  by  considering  a  specific  underlying  com¬ 
putation. 

Consider  a  system  of  two  processes  A.  B  in 
which  messages  may  be  sent  from  A  to  B  and 
from  B  to  A.  Each  process  is  initially  in  a 
tossing  state.  Each  process  in  tossing  state  de¬ 
cides  nondeterministically  (by  a  coin  toss,  for 
instance)  to  enter  either  a  receiving  or  a  send¬ 
ing  state.  A  process  in  the  receiving  state  waits 
until  it  receives  a  message  and  then  returns  to 
the  tossing  state.  A  process  in  the  sending  state 
sends  a  message  and  then  returns  to  the  tossing 
state.  If  both  processes  are  in  the  receiving  state 
and  every  message  sent  has  been  received,  then 
both  processes  will  remain  waiting  forever.  The 
goal  of  the  termination  detection  algorithm  is 
to  detect  such  a  situation. 

In  the  sequel,  we  use  underlying  computation 
to  mean  the  computation  associated  with  coin 
tossing,  sending  and  receiving  of  messages  as 
described  above.  The  termination  detection  al¬ 
gorithm  superimposes  an  overhead  computation 
on  the  underlying  computation  at  each  process; 
we  use  computation  to  mean  the  underlying 
computation  and  overhead  computation  togeth¬ 
er.  Overhead  messages  and  underlying  messages 
belong  to  the  corresponding  computations. 

The  overhead  computation  at  a  process  can 
observe  the  state  of  the  underlying  compu¬ 


tation.  but  cannot  affect  it.  The  overhead  com¬ 
putation  may  have  its  own  associated  states 
and  it  may  send  messages  (to  the  overhead  com¬ 
putation  at  the  other  process)  even  when  the 
underlying  computation  is  waiting  to  receive. 
However,  a  message  is  received  only  when  the 
underlying  computation  is  waiting  to  receive. 
We  require  that  whenever  the  termination  de¬ 
tection  algorithm  reports  termination,  the 
underlying  computation  has  terminated  (both 
processes  are  in  receiving  state  and  there  is  no 
underlying  message  in  channels);  furthermore, 
for  every  computation  .x  in  which  the  underly¬ 
ing  computation  has  terminated,  there  is  a  com¬ 
putation  y,x^y,  in  which  termination  is  report¬ 
ed  by  the  overhead  computation  at  one  of  the 
processes. 

We  show  that  for  any  k,  k^O,  there  is  a 
computation  in  which  k  underlying  messages 
are  sent  and  received  and  at  least  k  overhead 
messages  are  sent.  The  plan  of  the  proof  is  as 
follows.  We  first  show  that  in  order  for  termi¬ 
nation  to  be  detected,  an  overhead  message  is 
sent  by  some  process,  without  its  first  receiving 
a  message,  after  the  underlying  computation 
terminates;  this  fact  is  proven  directly  from  the 
theorem  of  knowledge  gain,  because  detecting 
termination  amounts  to  gaining  knowledge. 

Next,  we  show  that  a  process  is  sometimes 
required  to  send  an  overhead  message  even 
when  the  underlying  computation  has  not  ter¬ 
minated,  because  the  computation  may  be 
isomorphic  (with  respect  to  this  process)  to  a 
computation  in  which  the  underlying  compu¬ 
tation  has  terminated.  Using  these  two  results, 
we  construct  a  computation,  of  the  required 
type,  for  any  k,  k^O. 

Theorem  10.  For  any  k,  k^O.  there  is  a  com¬ 
putation  in  which  k  underlying  messages  are  sent 
and  received  and  at  least  k  overhead  messages 
are  sent.  □ 

Proofs.  We  will  prove  a  slightly  stronger  result, 
/(k),  for  any  k, k^O,  where  /(k)  is;  there  is  a 
computation  in  which  k  underlying  messages 
are  sent  and  received,  at  least  k  overhead  mes¬ 
sages  are  sent  and  both  processes  are  in  toss¬ 
ing  state  at  the  end  of  the  computation.  Proof 
is  by  induction  on  k. 

For  k  =  0:  /(O)  holds  for  the  null  compu¬ 
tation,  from  the  initial  condition. 

Let  .X  be  a  computation  for  which  /(k)  holds 
for  some  k,  k^O.  We  show  a  computation  z  in 
which  /(k  + 1)  holds. 


•r. 


i 


•  I 

i 


■::3 


•«  \ 
r/' 


K.M.  Chandy  and  J.  Misra;  How  processes  learn 

Let  tr^itrg)  denote  an  internal  event  at  A{B) 
whereby  the  process  transits  from  tossing  state 
to  receiving  state;  similarly,  let  ts^itsg)  denote 
the  transition  from  the  tossing  to  sending  state. 

Consider  the  computation  x'  =  {x-,tr^,trg). 
Since  no  underlying  message  is  in  transit  in  x 
and  both  processes  are  waiting  to  receive  in 
a',  a'  has  a  terminated  underlying  computation. 

For  each  process,  “process  is  in  receiving 
state”  is  a  local  predicate  of  the  process.  This 
predicate  value,  for  each  process,  is  false  at  x.  If 
a  process  (say  B)  detects  termination  at  some 
y. then  B  knows  A  is  in  receiving  state  at 
y.  Therefore.  B  gains  knowledge  about  A  and, 
applying  the  knowledge  gain  theorem  (theo¬ 
rem  5),  there  is  a  process  chain  </l,  B>  in  (.x'.y). 
Therefore,  in  general,  either  there  is  a  process 
chain  </4  B>  or  a  process  chain  <B/1>  in  (.v,  y). 
Let  y'  be  such  that  .x^y'<y,  (.x,  y')  contains  no 
process  chain  B>  or  <B/1>  and  (x,  y  )  con¬ 
tains  a  message  send  (which  must  be  an 
overhead  message)  by  some  process,  say  A. 

Let  u  =(.x;rr^;  ts^:  B  sends  underlying  mes¬ 
sage).  Since  there  is  no  process  chain  (A  B}  or 
<B/4>  in  (.X, y  )  or  (x.  n).  we  can  apply  the  fu¬ 
sion  theorem  (theorem  2)  to  y'  and  w  to  obtain 
a  computation  w',  where  x^h',  h'[B]w  and 
w'\_A']y'.  In  computation  (.x.  u'),  B  has  sent  an 
underlying  message  and  A  has  sent  an  overhead 
message  before  receiving  the  underlying  mes¬ 
sage.  To  complete  the  proof,  we  note  that 
there  is  an  extension  r  of  w'  in  which  A  receives 
the  underlying  message  sent  to  it  by  B.  Com¬ 
putation  ;  satisfies /(/c-i- 1).  □ 


6  Discussion 

We  have  shown  that  isomorphism  between 
system  computations  with  respect  to  a  process 
is  a  useful  concept  in  reasoning  about  distribu¬ 
ted  systems.  Isomorphism  forms  the  basis  for 
defining  and  deriving  properties  about  knowl¬ 
edge.  “Scenarios”  have  been  used  [7]  to  show 
impossibility  of  solving  certain  problems;  in  our 
context,  a  scenario  is  a  computation,  and  iso¬ 
morphism  is  the  formal  treatment  of  equiva¬ 
lence  between  scenarios.  Theorems  on  knowl¬ 
edge  transfer  provide  lower  bounds  on  numbers 
of  messages  required  to  solve  certain  problems. 
We  have  used  isomorphism  as  the  basis  of  fu¬ 
sion  theorem  and  related  isomorphism  to  se¬ 
mantics  of  send,  receive  and  internal  events. 

In  this  paper,  we  have  not  defined  processes 


51 

in  terms  of  their  states.  The  notion  of  isomor¬ 
phism  between  computations  could  be  defined 
in  terms  of  process  states  as  follows:  two  com¬ 
putations  X  and  y  are  state-isomorphic  with  re¬ 
spect  to  a  process  p  means  the  state  of  p  after  x 
is  the  same  as  its  state  after  y.  Observe  that  x 
and  3'  are  isomorphic  with  respect  to  a  process 
implies  they  are  state-isomorphic  with  respect  to 
that  process.  With  knowledge  defined  in  terms 
of  state-isomorphism,  a  process  may  lose 
knowledge  by  an  internal  event,  that  is,  by 
merely  by  changing  its  state.  However,  knowl¬ 
edge  can  be  gained  only  be  receiving  messages. 
In  other  words,  processes  may  “forget”  on  their 
own  but  cannot  learn  without  receiving  infor¬ 
mation.  The  theorem  of  knowledge  transfer  ap¬ 
plies  even  with  knowledge  defined  in  terms  of 
state-isomorphism.  This  is  an  area  worth  pursu¬ 
ing,  as  it  may  provide  insight  into  designs  of 
processes. 

Our  model  does  not  have  the  notion  of 
time.  If  there  is  a  global  clock  common  to  all 
processes  then  processes  may  learn  or  forget 
merely  by  the  passage  of  time.  For  instance,  in 
time-division  multiplexing,  the  mutual  exclusion 
problem  is  solved  by  letting  the  i-th  process  be 
in  its  critical  section  during  the  i-th  slot  in  the 
time  cycle.  In  this  case,  a  computation  is  a 
tuple  consisting  of  the  “current”  time  and  a 
sequence  of  timed-events  where  each  timed- 
event  is  a  pair  (time,  event).  The  concept  of 
isomorphism  remains  valid,  though  the  knowl¬ 
edge  transfer  theorems  no  longer  hold,  because 
knowledge  can  be  gained  and  lost  merely  by 
the  passage  of  time. 

It  is  tempting  to  define  belief  in  terms  of 
isomorphism  as  follows:  process  p  believes  b  at 
X  means  b  holds  for  most  (in  measure-theoretic 
terms)  computations  isomorphic  to  x  with  re¬ 
spect  to  p.  Unfortunately,  there  do  not  appear 
to  be  clean  results  on  the  gain/loss  of  belief  or 
belief  transfer. 

In  this  paper,  when  we  say  a  process  knows 
b.  we  allow  b  to  be  an  arbitrary  predicate:  b 
may  be  temporal,  for  instance  of  the  form: 
eventually  b'.  For  example,  in  a  commit  pro¬ 
tocol  a  process  committing  itself  to  a  value  v 
knows  that  all  correct  processes  will  eventualh 
commit  to  v.  Results  about  knowledge  transfer- 
gain  or  loss-still  hold. 

AtkiiowMffcmunt.  We  are  indebted  to  Shmuel  Katz.  Joe 
Halpern.  E.W,  Dijkstra  and  Bengt  Jonsson  for  their  com¬ 
ments.  Particular  thanks  go  to  Ernie  Cohen  for  a  careful 
reading  of  the  manuscript  and  insightful  comments. 


References 


1. Chandy  KM,  Misra  J  (1984)  Drinking  philosophers 
problem.  TOPLAS.  October  1984 

2.  Fischer  MJ,  Cjmch  N.  Paterson  M  (1985)  Impossibility 
of  distributed  consensus  with  one  faulty  process.  J 

.  ACM,  April  1985 

3.  Halpem  JY,  Moses  Y  (1984)  Knowledge  and  common 
knowledge  in  a  distributed  environment.  ACM  SIGAC- 
T'SIGOPS  Symposium  on  Principles  of  Distributed 
Computing,  Vancouver,  Canada,  August  1984 


4.  Hintikka  J  (1962)  Knowledge  and  belief.  Cornell  Uni¬ 
versity  Press 

5.  Lamport  L  (1978)  Time,  Clocks  and  the  ordering  of 
events  in  a  distributed  system.  Communications  of  the 
ACM  21:  558-564 

6.  Lehmann  D  (1984)  Knowledge,  common  knowWge, 

and  related  puzzles.  ACM  SIGACT-SIGOPS  Sym¬ 
posium  of  Principles  of  Distributed  Computing.  Van¬ 
couver,  Canada,  August  1984  ^  ,  .u- 

7.  Lynch  N&  Fischer  M  (1982)  A  lower  bound  for  the 
time  to  assure  interactive  consistency.  Information  Proc 
Letters  14,  4,  June  1982 


Correction  to  the  Paper: 


A  Really  Abstract  Concurrent  Model  and 
its  Temporal  Logic 

by:  Barringer,  Kuiper  and  Pnueli 


Not  all  the  positive  operators  of  the  Real  Temporal  logic  are  continuous.  All 
of  them  are  monotonic.  We  distinguish  two  types  of  continuity.  Aai  operator  (p{X) 
is  defined  to  be  V-continuous  if  it  satisfies 

v>(y  p») = y 

i<u  i<u 


It  is  defined  to  be  A-continuous  if  it  satisfies 

V>(/\  Pi)  =  /\  ^(P.) 
«<u>  i<u> 


The  following  operators  are  V-continuous; 

V,A,^  ,<^  ,AX.(pliX),AX.(pSX) 

The  following  operators  are  A-continuous: 

V,A,  S,  B,AX.{XI/7),AX.(X59) 

A  general  equation:  X  s  ^(X)  where  ^  is  a  monotonte  operator  has  both 
a  minima]  and  a  maximal  fixpoint  solutions,  denoted  by  /iX.ip  and  t/X.<p  respec¬ 
tively.  These  solutions  can  be  obtained  by  limits  of  approximations  which  for  a 
general  monotonic  operator  must  be  carried  to  an  ordinal  order.  They  can  be 
defined  by: 

(Jf)  =  X, 

For  a  non-limit  ordinal  (or  finite  index) 

vZ*'{x)  =  v(‘P’lx)) 


p?(x)  =  V 

a<p 


For  a  limit  ordinal  0 


For  every  monotonic  fp  there  exists  an  ordinal  a  such  that 


iiX.p  =  tpy[F) 


If  ^  is  also  V>continuous  then: 


=  v'iiF)  =  V 


Similarly,  for  approximating  the  maximal  fixpoint  we  define: 
v'kiX)  =  X 

=  (p{<p%{X))  For  a  non-limit  ordinal  a  +  1 
P^(X)  =  ^  V’aC-^)  for  a  limit  ordinal 


For  every  monotonic  there  exists  an  ordinal  a  such  that 


uX.p  =  v?^(r) 


If  ^  is  also  A-continuous  then: 


uX.v  -  v1,{T)  =  A  P’OT 


A  Really  Abstract  Concurrent  Model 
and  its  Temporal  Logic 

Howard  Barringer^ 

Ranrd  Knipor^ 

Amir  Paneli^*) 

Extended  Abstract 
Jnly  1985 

(1)  Uahrersity  ct  Manchester,  Manchester,  England 
(3)  Weiunann  Institute  ot  Science,  Rehovot,  Israel 


Abstract.  In  this  paper  we  advance  the  radical  aotioa 
that  a  compntatiaaal  model  baaed  on  the  raalt  provides 
a  more  abstract  descriptioa  at  caocacreat  and  reactive 
systems,  than  the  conventional  iatsfsre  baaed  behavioral 
model  of  execntion  ssfscnoca  The  real  model  ia  stud* 
ied  in  the  setting  of  temporal  logic,  and  we  ittnstrate  its 
advantages  by  providing  a /U/y  adstmcf  temporal  seman¬ 
tics  for  a  simple  coacnrrent  laagnage,  and  an  example 
of  veriflcatioa  of  a  eoacnrrcat  program  whhia  the  teal 
temporal  logic  detned  here.  It  is  shown  that,  by  impos¬ 
ing  the  crucial  condition  of  flmUt  aantMUt,  we  adieve  a 
balaneed  formalism  that  is  insensitive  to  fimHe  stuttering, 
but  can  recognise  iafinU*  stuttering,  a  distinction  which  is 
essential  for  obtaining  a  fully  abstract  semantics  of  non- 
terminating  processes.  Among  other  advantages,  going 
into  real-based  semantics  obviates  the  need  for  the  con¬ 
troversial  representation  of  coaeutiency  by  interleaving, 
and  most  of  the  associated  fairness  constraints. 

Introduction 

Temporal  logic  is,  by  now,  a  widely  accepted  formal 
tool  for  the  speciflcation  and  verilcation  of  concurrent 
and  reactive  systems  (see  |MPl|,  (Lal|,  [OL|,  (HO|,  [SMS|, 
|CE|,  |CM|  and  many  others).  The  underiying  time  struc¬ 
ture  upon  which  those  systems  ate  based  is  diterete,  and, 
ia  the  linear  temporal  logic  case,  is  isomorphic  to  the  non- 
negative  integers  and  modeb  the  execution  sequences  that 
the  specified  program  generates. 

The  research  was  supported  in  part  by  SERC  grant 
GR/C/0S760. 

Part  of  the  research  of  the  third  author  was  supported  by 
ONR  grant  N00014-85-K-0057  while  vbitiag  the  Univer¬ 
sity  of  Texas  at  Austin. 

Pmuitiion  lo  copy  widioM  fee  all  or  part  of  ihii  material  it  iranied 
provided  that  ihe  copies  are  sol  made  or  distributed  for  direct 
commeicial  advantage,  the  ACM  copyright  notice  and  the  title  of  the 
publication  and  its  date  appear,  and  notice  is  given  that  copying  U  by 
permission  of  the  Association  for  Computing  Machinery.  To  copy 
otherwise,  or  lo  republish,  requires  a  fee  and/or  specific  permission. 

©  i986  ACM.<M979l-175-X-l/86mi73  S00.75 


An  important  step  in  the  construction  and  justifies 
tion  of  temporal  proof  systems  b  the  definition  of  tem- 
porsf  semanfies,  which  constructs  for  a  ghrea  program  P 
a  characteristic  formula  sometimes  denoted  by  |[P]], 
such  that  dp  b  true  precisely  over  all  the  admissible  exe¬ 
cutions  of  P.  Such  definitions  have  been  ghrea  for  ^obal 
systems  in  |Pnl),  |MP2j,  and  in  a  more  syntax  directed 
style,  snitabfe  to  compositional  proof  systems  in  (BKPl), 
1BKP3|. 

When  comparing  the  temporal  semantics  of  concup- 
rent  programs  with  other  semantic  definitions  we  find  that 
they  are  deficient  in  one  respect.  Namely,  they  do  not 
achieve  /a//  aittraeimetti  FnU  abstractness  ([Ml|)  b  a 
moat  important  criterion  which  requires  that  the  seman¬ 
tics  level  of  detail  should  match  the  desired  level  of  ab¬ 
stractness.  In  particular  it  requires  that  any  two  programs 
that  we  wbh  to  consider  equivalent,  should  be  assigned 
identical  semantics.  For  sequential  programs  we  can  easily 
say  that  it  was  the  strive  towards  fall  abstractness  that 
led  from  the  overiy  detailed  operational  semantics  into 
the  much  more  satbfoctory  denotations!  domain-bmed 
semantics. 

Consider  the  following  two  program  segments  that 
represent  modules  in  a  concurrent  program: 

Pi  ::  z  :s  1;  s  :s  x;  z  :a  2  ,  and 

Pj  ::  z  :s=  1;  z  :=  z;  z  ;=  z;  z  :=s  2 

They  difler  by  the  number  of  dummy  z  ;a  s  msign- 
meats  separating  the  two  externally  observabfe  instruc¬ 
tions  z  :s  1  and  z  :=  2.  At  the  qualitative  level  that 
we  want  to  anaiyie  such  concurrent  programs,  these  two 
program  segments  should  be  considered  equivalent. 

Let  us  examine  whether  thev  temporal  semantics 
are  indeed  identical.  We  consider  first  the  logic  m 
^(0<  11 )  presented  in  [MPl]  and  other  related  works.  Thb 
logic  uses  the  basic  operators  O  (next  time)  and  U  (until), 
over  an  integer-like  execntion  sequence. 

Without  giving  the  precise  temporal  semantics  of  Pi 
and  Pj  we  can  still  explain  how  tMy  differ.  The  tem¬ 
poral  semantics  of  Pj  (in  the  L®  logic)  requires  that  ia 
any  computation  sequence  of  P|,  the  z  =  1  and  z  =  2  ate 


173 


■•panted  bjr  •!/«•(<  Seonpatatkm  ■tep*  (ortwoatenn^ 
diate  statei).  la  Pi  the  lower  bouad  is  oa^  two  eoBipat»- 
tioa  steps.  Coaseqaeatljr  the  semaatiu  distiaKoishes 
betweea  Pi  aad  Pi,  aad  heace  is  aot  fully  abstract. 

Lamport  perceived  this  lack  of  abstractaess  ia  the 
logic  aad  attributed  the  problem  to  the  aext-time  opera¬ 
tor.  Cousequeutljr,  Ih&temporal  logic  that  he  worin  with 
(|LalJ,  (ra.))  is  £'*'  s  L(U),  which  uses  ouly  the  uatil 
operator  (or  aa  ^propriate  eqnivaleat).  He  abo  formu¬ 
lated  the  requiremeat  that,  ia  order  to  be  abstract,  the 
logic  must  be  iaseasitive  to  MnUtritit,  which  he  deflaed 
as  flaite  coasecutive  dupUcatioa  of  some  states.  ladeed 
aay  executioa  sequeace  of  P]  msy  be  obtaiaed  from  some 
executioa  of  Pi  by  dupUcatioa  of  some  states,  aad  the 
semaatics  that  would  be  assigaed  to  Pi  aad  P]  ia  the  L* 
logic  are  ideatical: 

Ip’ll  =  iPsI  =  O  [(•  =  i)a+(*  =  2)1 

where  we  use  the  deflaed  operator  =  (p  A  pUq). 

Uafortuaately,  while  this  aext-less  logic  provides 
aa  abstract  semaatics  far  flaite  processes,  Le.,  haviag 
bouaded  executioas,  it  raises  aew  probleou  whea  we  go  to 
iaflaite  processes.  We  may  iaterpret  the  view  represeated 
by  Lamport's  approach  by  sayiag  that  there  is  ao  ahse/afe 
time  scale  agaiast  which  executioas  are  measured.  Time 
advaaces  oaly  whea  there  is  a  (state)  chaage.  Clearly, 
such  a  view  would  aaturally  iguore  aay  finite  periods  of 
BO  chaage.  However,  by  the  same  tokea,  it  would  also 
iguore  (or  collapse)  infinite  periods  of  ao  chaage,  which 
is  uaacceptable. 

Coasider  the  foUowiag  recursive  procedure 
P  <=  [*  :=  »;  P| 

where  it  is  assumed  that  the  process  P  owne  the  vari¬ 
able  X,  ia  the  sease  that  P  is  the  oaly  process  which  msy 
modify  z. 

The  comniOB  assodatioa  of  senuatics  to  such  a  pro¬ 
cedure  is  to  farm  a  flxpoiat  equatioa  for  a  temporal  predi¬ 
cate,  where  the  right  haad  side  of  the  equatioo  is  obtaiaed 
from  the  semaatks  of  the  procedure's  body.  We  therefore 
look  for  the  mnximnt  solutioa  to  the  equatioa: 

X  =  aa.((s>«)a'^((z»u)A.Y)| 

It  is  aot  difficult  to  see  that  the  aiaximal  solutioa  is 
X  =  T,  i.e.,  all  possible  behaviors,  ia  particular  those  that 
arbitrarily  modify  a.  This  caa  be  explaiaed  by  the  fact 
that  the  procedure  P  produces  iaflaite  stntteriag  which 
the  L*  semaatics  coasumes  ia  zero  time,  aad  leaves  the 
rest  of  the  executioa  uarestricted. 

If  ia  comparisoa  we  coasider  the  seoiaatics  assigaed 
to  this  process  by  the  logic,  we  replace  U*  by  U^, 
deflaed  as  rli^q  3  r  A  O(rttg).  Thea  the  solutioa  is 


Le.,  a  is  coatiaaously  preserved,  which  is  what  we  iata- 
itively  expect. 

Thus  we  flad  that  is  uasatisfactory  because  it  is 
seasitive  to  flaite  stutteriag,  while  L'*'  is  uasatisfactory 
because  it  is  iaseasitive  to  iaflaite  stutteriag. 

These  difficulties  are  aot  speciflc  to  temporal  semaa¬ 
tics.  To  the  best  of  our  kaowledge,  ao  adequate  composi- 
tioaal  seiaaatics  of  coaeurreut  prograau  which  satisfles  all 
of  the  four  folkwiag  requiremeats,  has  yet  beea  proposed. 

1.  Allows  aoadeteratiaism  ia  the  processes. 

2.  Treats  fair  parallelism. 

3.  b  folly  abstract,  ia  particular  is  iaseasitive  to  fl- 
aite  stutteriag. 

4.  Properly  treats  divergeat  processes,  ia  particular 
iaflaitely  stutteriag  processes. 

Most  of  the  works  that  did  propose  semaatics  of  coa- 
curreat  progtaais  are  usually  deflcieat  ia  poiats  2  or  4 
or  both.  Poiat  4  is  of  coarse  hi^ly  subjective,  aad  we 
have  our  owa  iaterpretatioa  of  what  the  "proper”  treat- 
ment  of  aoatermiaatiag  processes  should  be.  By  thu 
iaterpretatioa  aoBterauaatioB  should  aot  be  coasidered 
catastrophic,  aad  a  sileatly  divergeat  (iaflaitely  stutter¬ 
iag)  process  should  have  ao  effect  oa  aay  process  ruaaiag 
ia  paraUeL  except  whea  termiaatioa  of  the  full  system  is 
coasidered,  which  we  igaore  ia  this  treatmeat.  Thus  if  we 
deflae  the  sileatly  divergeat  process: 

1  =  [P  where  P  (  ekip  ;  P)) 
we  would  like  to  have 

(1 II  <?)«<? 

for  aay  process  <?. 

Usually,  ia  worics  such  as  |HM|,  |dBMO|,  [Br|,  the 
sileatly  divergeat  process  1  is  treated  either  as  catas¬ 
trophic  (the  Smyth  view)  or  as  cheer  (completely  uaspec- 
ifled  process)  which  leads  to  equivaleaces  of  the  form 

(1 II  <3)  «  1. 

Ia  our  previous  work  (|MP2|,  (BKPlj,  |BKP2|)  usiag 

we  usually  achieved  requiremeats  1,  2,  aad  4  but  had 
to  give  op  oa  3.  la  this  paper  we  suggest  that  liaear  tem¬ 
poral  logic  with  the  time  structure  of  the  (aoa  aegative) 
real  aumhcrr  provides  a  mote  abstract  logic  thaa  that  of 
the  aoa  aegative  iategers,  aad  succeeds  ia  meetiag  all  the 
four  criteria  above. 

Temporal  Logic  of  the  Reals  (TLR) 

Let  V  =  £  u  C  be  a  set  of  variables  which  is 
partitioaed  iato  £  s  {vi,...}  the  local  variables,  aad 
G  s  (ui,...}  the  global  variables.  For  simplicity  we  as¬ 
sume  that  soiae  of  the  variables  raage  over  a  iata  doataia. 


X  =  3h.  □(•  =  tt) 


fWffrliti'fm 


aad  tk«  othen,  vkkk  ««  call  frtpMiU0ma,  nageortr  ike  tkat  tke  praeat  (point  t)  ia  not  conaidand  aa  a  part  at 

boolann  domain  {F,r}.  tke  fktnie. 


A  modal  over  V  ia  an  aaaignment  ot  tkat  aaaisaa  to 
anek  variable  v  6  V  and  each  non-negntive  teal  anmber 
I  >  0,  a  valae  a(v,  I)  bom  the  appropriate  domain.  Tke 
amifawwl  o  ia  iminiied  to  aatb^ 

a)  Unifonnity  at  global  interpretation  - 

For  aoA  §Mal  variabla  n  €  G,  0(0, 1)  ia  indepen¬ 
dent  of  I. 

b)  Finite  vnriability  - 

lor  each  local  variable  p  €  £  there  exiata  a  deanmer- 
able  aeqneace: 

Oslo<li<<a<--  «itkt.->ao 

aadi  tkat  tke  valae  of  et(p,  <)  ia  anifgrm  wHkia  each 
open  interval  (l<,  Le.,  for  every  I,  I*,  if  <  I  < 

f  <  li+i  then  fli(y,l)  «  o(p,i*). 

Condition  b)  gnaranteea  tkat  there  eonld  be  no  ini* 
nite  variability  within  a  Inita  interval,  and  tkat  tke  inter¬ 
pretation  of  caek  variable  can  be  decompoaed  into  eonnt- 
ably  many  open  intervala  of  coaataat  valae.  Note  tkat  we 
do  aot  icatrict  tke  valnea  at  tke  break-pointa  <«,  which 
canid  be  different  bom  the  valnea  of  their  left  or  right 
oetghbor  intervale. 


The  temporal  lo  gic  we  coaoider  ia  baaed  on  the  oper- 
atora  U  (nntil)  and  i  (rince)  (|I<PZ|). 

We  delne  tke  valne  of  terma  and  atate  formnlae  at 
a  nonaegative  real  iaatant  I  of  a  modri  ot  by  evalnatiag 
them  pointwiie,  Le,  naing  o(oj,l)  whenever  the  value 
•i  k  needed.  For  a  atate  formnla  fp,  we  denote  by  g>(o,l) 
the  valne  obtained  by  each  pointwiae  evalnatioa  at  point 
I.  Then  we  deine  aatialability  aa  fellowK 


(«.<)h(diVda) 

(o,l)hd0t» 


(ot,l) 


a 

># 

iff 

iff 


iff 


d(o,  I)  s  r  where  d  ■  e  rtate 
fomnla 


(or.*)  h  di  O' («.0  h  da 

31",  I  <  1*.  anch  tlmt 

(a,f*)^d>Bd 

for  every  f*,  I  <  I*  <  f , 

(«.Ohd 

31*1 0  <  I"  <  I,  anch  tkat 

(0.0  hd 


Two  additional  logical  operatora  that  ate  needed  ate 
gnanltlteatMa  and  fflxfoiaL 

The  aemaatica  of  the  exiateatial  qnantilar  ia  given 

hr 


(o,t)  |b  3v.|P  iff  there  exiata  a  model  ot'  difhring 
bom  o  bjr  at  moot  the  aaaigameat  givea 
to  a,  anA  that  (o',  I)  |w  iP 

Note  that  we  allow  qnantileation  over  both  ^obal 
and  local  vnriablea,  ia  contraat  to  |MPl|  where  qnantil- 
cation  a  allowed  only  over  global  vatiablea.  When  qnaa- 
tiering  over  a  local  variable  p,  the  requirement  that  a'  be 
a  model  according  to  the  delaition  ghrea  above  impliea 
that  V  aatialea  the  Inite  variabiiity  condition. 

Univetaal  qnantilcatioe  may  be  iataodaeed  aa  a  de¬ 
rived  operation: 


Vp.(p  « 

la  order  to  delne  the  Ixpoiat  operator  it  helpe  to 
alightiy  ahift  our  view  of  the  aemaatica  ot  temporal  Ion 
mnlae  and  delne  for  each  formnla  p  and  a  non-negative 
real  number  t  >  0,  their  (at«a<  (vahdity-eet)  given  by: 

ff(fP,<)  «  {o|  (a,l)  H>(P} 

Thia  delaition  amociatea  with  each  formnla  p  and 
time  inatant  I  >  0,  a  act  of  all  the  poaaible  modeia  that 
aatisfy  fp  at  f.  Thia  leada  to  a  view  by  which  each  formnla 
p  ddnea  a  function  bom  It*’  (the  non-aegathre  reak) 
to  M,  the  act  of  all  modeia  (over  K).  Let  P  s  [ff'*’  -»  Jd| 
denote  the  att  at  all  fnnctiona  bom  to  M.  It  ia  aot 
diScnlt  to  aee  that  it  ia  a  complete  lattice,  actually  a 
complete  boolean  algebra.  The  ordering  on  F  ia  cloaety 
connected  to  implication  between  formnlm.  Thna  pC 
(when  interpreted  aa  elementa  at  P)  iff  p  -*  k  valid. 
Conaeqnently  the  minimal  elemmt  at  P  k  F  ^  Af.d  and 
the  mmrimal  element  ot  P  kT  ^  Al.Jd. 

The  logical  operatora  may  now  be  viewed  m  tanctiona 
bom  P  to  P.  Tima  for  ever  two  elementa  ei,ei  6  0,  we 
may  expreaa  the  operatora  of  diqaactioo  and  nnH  fay: 


Note  that  differently  bom  the  integer-baaed  IL,  the 
baak  unlff  operator  pUip  k  atrict  and  gnaranteea  a  non 
empty  p  intorvuL  We  nuy  alao  delne  aoaae  derived  oper^ 
atora: 

pAl^m-,{pyft)  (P-»t>»(-lPVit) 

Wp»TUp  ^p»TSp 

pU-^i^mpApii^ 

The  derived  temporal  operatora^,  S  hnveafaailar 
meaning  to  that  of  their  integer^baaed  connterparta,  ei^ 
capt  tkat  in  real  temporal  logic  they  are  atrict,  maa^g 


d  Vof  3 Cl  uof  s  Al.{a  I  a €ei(l)  or 
a€ei(l)} 

eille,  3  Al.{a  |  3l"|f  <(*,06  6.(1")  and 

Vl',<<l'<l",oeei(l'))) 

We  can  ahow  that  all  the  operatora  delned  above 
exclndiag  -.  are  continnona,  while  -•  ia  aati-coatinnona 
over  P.  Conaeqnently,  we  conaider  eqnationa  of  the  form: 

XspiX)^ 

where  X  ia  a  local  propoaitioa  variable,  and  p  ia  a  temp<^ 
ral  formula  in  whid  all  inatancea  of  X  ate  poaitive.  La, 


175 


caeompaMcd  bjr  am  cms  aoinbw  at  segatiaa*.  la  rack  « 
rmm»  t]iii  eqaatkw  it  kaowa  to  have  both  a  anatmU  aad  a 
— M^tioa.  We  deaote  them  lespectively  by 
aad  vX.^.  The  ataal  piopettjr  of  extieoial  flxpoiatt  be- 
lag  obtaiaed  by  Uaiits  of  flaite  ^pwatimatioai,  eaa  be 
cxpiciaed  ia  oar  etaabir 

CO 

vx.ip  s  /\  (p'(r) 

teO 

where  toe  ^  *  (p(JC)  we  delae  V^{X)  «  X  aad 
V»-^X)  =  p(<f>*(X)). 

As  a  simple  exaaipla  eoasider  the  eqaatioa 
Xs4(paj:) 

Its  maximal  flxpoiat  caa  be  obtaiaed  by  appioadma- 
tioas.  Deaotiag  {p(X)  «  ^  (p  A  X),  we  caa  show  that 
p'(r)  holds  ok  t  i§  there  are  •  dhrtiaet  tisae  iastaats 
(  <  (i  <  ...  <  (i  each  that  p  holds  at  each  of  the  it,...,  I<. 
Coaseqaeatly  vX.p  holds  at  I  tethers  are  iadaite|y  maay 
poiats  ahead  of  f  at  which  pis  trae.  Ia  teal  ten^o^  logic 
this  leads  ux 

i/X.^  (p  A  X)  s  ( Q  ♦p  V  ♦  (pUT)) 

Oa  the  other  haad,  the  miafaaal  Ixpoiat  of  this  eqaa¬ 
tioa  it  F.  This  is  dae  to  the  fhet  that  F  satisfles  the 
eqaatioa  aad  is  also  the  miaimal  ilsmsat  of  0.  We  thas 
have; 

mX.^(pAX)9F 

.\a  importaat  obeervatioa  is  that  aB  the  operators 
iatrodaced  respect  the  laite  rsciebility  rsstrietioB.  This 
meaas  that  the  laite  eariabilily  lastrfctioa  holds  aot  oaly 
for  the  propoaitioas  aad  aariables,  bat  alto  for  aay  tem¬ 
poral  fiMas^  deiaed  ovtr  them. 

Axionutic  CluractariMtioii  of  tha  Real  Tsoipo- 
ral  Logic 

Wheaerer  a  logic  is  iatrodaced  aad  rscoouacaded  aa 
a  tool  for  formal  reasoaiag  aboat  programs,  aa  esseatial 
part  of  this  tecoasaieadatioa  shoald  be  a  dedactiee  sys¬ 
tem  that  sapports  aoaad  reasoaiag  withia  the  logle  itself. 
Siace  the  fall  logie  is  clearly  aot  laitely  axfamatisable,  we 
win  iatrodace  the  dedacthre  system  we  propose  ia  steps, 
iadkatiag  the  step  at  which  we  lose  cooipletoaeas  aad  de¬ 
cidability. 

The  PropositioBal  Ragmeat 

The  propoeitiooal  fragmeat  is  obtaiaed  by  reqairiag 
that  ail  the  variables  ia  K  are  propothioas,  Le.,  laage 


over  {F,  T}.  la  this  ease  flatal  qaaatileatioa  eaa  be  ehas- 
iaate^  This  is  becaaae  tor  a  global  propoeitioa  a: 

aw.p(w)  s  p(T)  V  (p(/’). 

Coosider  Irst  the  laagnage  without  (local)  qoaatil- 
catioB  or  focpmat  operators.  We  propose  the  foUowiag 
axiomatisatioa; 

FO.  All  sabstitatioa  iastaaces  of  propositioBal  taatok^ 
gies. 

FL  S(p -♦  -*  {(fpfid-*  Infill  A  (dfiio -» dll  ^l>l} 

FZ  pAdU^->dti[^Ad5pi 

F3.  s  |p 

F4.  ptii^  spU\p^piiit\ 

FS.  {pUt)  A  (p  A  -<d)2i^ 

FI.  p{(|i)AdUp-*  (pAd)U(^Ap)  V  (pAd)Q(tftAd) 
V  [p^t)U{pAp) 

Six  additioaal  axioms  Pl-^l  ate  obtaiaed  as  the  mir¬ 
ror  images  at  Fl-FI,  that  is,  by  iaterchaagiag  ia  each 
axiom  Q  with  B  aad  U  with  5. 

Axionw  Fl  aad  PI  state  that  the  H  aad  ^  operators 
ace  aioaotaaie  ia  both  argamcats. 

AxioiDs  P2  aad  P3  speciiy  the  lelatioa  of  leleetioa 
holdiagbetweea  past  aadfotare.  AxionuFS,  F4aad  their 
past  coaaterparts  characterise  the  tiaie  stractnie  at  beiag 
dcass,  Le.,  betweea  every  two  iastaats  there  exists  aa  ad- 
ditiaoal  iastaat  dbtiact  ttom  both.  To  see  this,  eoasider 
a  siaipler  veisioa  ^p  -*  ^^p  which  also  character¬ 
ises  deasity.  It  cettaialy  does  aot  hold  ia  integer-based 
TL,  whea  we  iaterpret  as  O0p.  Axioms  F6  aad 
P6  state  that  the  time  stnetare  is  limaar.  Esseatially  it 
says  (hat  if  both  p  aad  p  are  boaad  to  happen,  then  they 
win  either  bappea  simnltaacoBsly  or  one  wiU  precede  the 
other. 

FT. 

PT.  BFv^BF 

Axiom  FT  states  that  the  fotnie  b  unbounded  while 
PT  asyBuaetricaUy  states  that  the  pmt  does  hatve  a  del- 
aite  starting  point. 

the  proposed  system  iaclades  the  foUowiag  iafereace 
rales: 

Rl.  Modas  Poaeas:  I*  p,  I*  (p  -*  p)  *  i*  P- 
K2.  GeaeraUsatioB:  t-  p  »  H  S  p,  K  Bp. 

the  system  coasbtiag  of  axioms  FO-^T,  Pl-PT  aad 
tales  Rl,  R3  b  taken  almost  verbatim  from  |Bn|,  where 
b  b  stated  that  it  forms  a  soand  and  complete  axiomatic 
system  for  the  considered  fragmeat  of  propositional  TL 
over  the  ratiamai  half  line  Q*  *  {r  6  Q  |  r  >  0}. 

Ia  order  to  charactetiu  the  real  half  line  R***  we  asa- 
aily  add  a  esmpfetcaess  axtonu  Thb  axiom  states  that 
any  (Dedekind)  cat  deiaed  by  a  change  of  a  propoeitioa, 
say  from  T  to  F,  ideatiles  aa  iastaat  Meagtag  to  the 


s 


! 

i 


I 


■tractue  whidi  nurki  the  tnasitioa  point.  la  oar  eaae, 
the  reqairemeat  at  laite  variability  a^ady  earaiei  that 
aay  change  in  valne  of  a  variable  y  mast  be  associated 
arith  some  aode  <<  that  marks  the  tiaasitioa  point.  Con* 
seqaeatly  completeaem  is  saperceded  by  the  finite  vaii- 
abffity  reqairemeat  represented  by  the  axioms: 


F8.  (pUTvi-pjUT 

P8.  (❖r)-»»irv(-.#))ir 


These  axioms  state  that  tot  every  formnla  p  and  in¬ 
stant  <  >  0,  there  is  always  an  open  interval  to  the  right 
of  t  ({t*  I  (  <  I'  <  P*}  for  some  1^,  I  <  (")  in  which  the 
valne  of  ^  is  nailiorm,  and  if  <  >  0,  also  an  open  interval 
to  the  left  of  I  in  which  p  is  naifbrm. 


A  conseqaence  of  the  fact  that  finite  variability  im¬ 
plies  completeness  is  that,  relative  to  the  laagnage  TLR, 
the  class  of  modeb  based  on  the  reals  b  eqnivalent  to 
the  class  of  modeb  baaed  on  the  ratioaab.  Thb  means 
that  a  TLR  formnla  b  satbfiable  by  a  real  model  if  it 
b  satbfiable  by  a  rational  model.  Gonseqnently  we  may 
interpret  the  R  of  TLR  m  standing  for  either  the  Reals 
or  the  Rationab. 


Consider  next  the  iatrodaction  of  the  fixpoint  op¬ 
erators  to  oar  system.  Since  the  miatmal  and  mMfinial 
fixpoint  operators  are  iaterdefinable,  we  choose  as  basic 
the  maximal  fixpoint  operator.  It  b  controlled  by  the 
following  axiom: 

XI.  uX.p{X)  s  p{vX.p{X)) 

le.,  the  maximal  solntion  to  the  eqaation  X  =  p(X) 
satisfies  the  eqaation. 


A  rab  associated  with  the  fixpoint  operator  b: 

RS.  (-  d  <(>($)  =».  h  d  uX.p(X) 

Thb  rub  states  that  i/X.p(X)  b  the  maximal  sola- 
tioa  to  the  eqaation  X  -*  ^{X),  and  hence  every  other 
solntion,  snch  m  d  above,  b  smaller  than  vX.p{X). 

The  minimal  fixpoint  can  be  defined  by: 


ltX.(p{X)  *  vX.->^{-^X) 


The  compbteness  at  the  system  ap  to  thb  point  b 
dbenssed  in  |LP|. 

The  most  complex  operators  in  the  laagnage  are  the 
qnaatifiers.  Actnally,  the  fixpoint  operators  can  be  de¬ 
fined  by  means  of  qnaatifiers  latrodacing  the  abbrevia¬ 
tion: 


we  can  express  yX.\p(X)  by  the  foUowiag  formnla: 

3g.|g  A  □#(«)  A  Vp.  □(  Dsb)  -*  Qp  -*  g))] 
where  c(r)  b  given  by  r  3  p{r). 

Thb  formnb  explkitly  states  that  g  holds  now,  g 
satbfies  the  eqaation  s  at  all  points,  and  aay  other  p  sat¬ 
isfying  s  at  all  points  b  necessarily  smalbr  or  eqaal  to 
*• 


The  axioms  eontrolliac  the  qnaatifiers  are  to 

those  presented  in  |MP3j: 

QFL  3p.|y>U^|  s  ipU(3p.ti) 
where  p  b  not  free  in  p. 

The  additional  axiom  QPl,  b  the  past  eonaterpart 
ofQFl. 

QX  Vp.|p(p)  —  tp(d) 

where  d  b  aay  formnla  free  tax  p  a  p. 

And  we  abo  have  the  foUowiag  rale: 

R4.  Vp.ri 

where  p  b  not  free  in  p. 

For  the  proper  definitioa  of  the  semantics  at  programs 
we  shoald  be  abb  to  establish  the  existence  of  proposi¬ 
tions  that  have  an  infinite  variation. 

For  a  formnb  p,  we  define  the  followmg  abbrevb- 
tioas: 

-  l(-F)iTV  (-.^))  A  \p  V  p&T\ 

Rise(p)b  trae  at  t  >  0  igt  b  a  transition  point  at  which 
p  changes  from  F  to  T. 


FaU(#>)  w  Rise(^). 

Ch(^)  w  Rise(^)v  FbU(^) 

Thns  Ch(ip)  b  trae  at  I  ^  0  iffp  changes  ito  vahe  at  t. 


Clock(g)«(EB^gA  □(g-(-g)fir)l 


A  propoebioa  b  called  a  dock  if  it  b  trae  at  infinitely 
many  pobts,  and  whenever  it  b  trae  it  b  hamediatefy 
bbe  at  a  tight  aeighborbg  interval.  Thb  implies  that 
g  b  trae  at  coantably  many  bobted  pobto  (never  at  an 
bterval)  and  fobe  elsewhere. 

We  add  the  foOowbg  axiom: 

C.  3g.{aock(g)A  DlChC^)^  . 

(-K%()p))tt(g  A  -iChCip)))} 

Thb  axiom  states  that  for  aay  formnb  p  there  exbts 
a  clock  g  that  becomes  trae  (ticks)  at  least  once  between 
every  two  coaseentive  changes  b  p. 

The  qnestioas  of  decidability  and  completeaem  of  thb 
axiomatic  system  for  the  propositional  fragment  of  TLR 
will  be  dbenssed  b  |LP|,  hopbg  to  establish  positive  an¬ 
swers  for  both. 


A  trivial  extension  of  the  propositional  fragment, 
which  b  still  decidable,  b  obtabed  by  aOowbg  a  sbgb 
fixed  data  domab  D  of  finite  cardbaJity. 


The  General  Logic 


.ks  soon  as  we  allow  data  domains  of  nabonaded  car- 
dbality,  the  logic  becomes  highly  nndeddable  and  not 
finitely  axiomatbable.  In  that  case- we  have  abo  to  con¬ 
sider  qnantification  over  global  variables.  Thb  qnaatifi- 
eatioB  obeys  axioms  QFl,  QPl,  Q2  and  mb  R4  as  well 


A  fMonU  p  k  ealkd  ^U>hd  it  it  dapaadt  oaljr  oa 
IMmI  vaiiablbi  aad  propoaitioaa.  For  |k>W  totmalaa  p 
«a  kava  tka  taUoariaf  axiom: 

<«•  PM  Op 

A  PrognmmUlrLa&gaage  uul  It*  Operational 
SemaatJoi 

Wa  iattodaea  a  kmpla  piofraauniag  laacaaft  of  pco- 
ecaaea  vkkk  cotamaaicata  bjr  skaiad  vartablaa.  aiaea  wa 
waat  to  empkaaiM  tkair  coatiaaoaa  bakarior  latkar  tkaa 
tka  raaah  tkajr  jriald  oa  tatauaatbm,  «a  will  aot  allow 
tkam  to  tarmiaata. 

Aaaomiag  tkat  tka  ayatax  tor  tatau  aad  eoaditioBa 
b  aadaiatood,  tka  foUowiag  raeaiaira  dadaitioa  daaeribaa 
tka  syatax  at  ptoeaaaaa: 

yjs:  Mat  b  a  ptoeaaa  tkat  parfotam  aofaftkaraetioa. 

SiB:  eaU  P  rapiaaaat  a  raeanha  call  to  a  paoeam  P 

witkia  ita  body. 

Skip;  If  a  b  a  pwcaaa  tkaa  ao  b  a^p;  a 
Aaritamaat: 

If  y  b  a  data  wariMa,  a  a  tana  aad  a  a  proeam, 
tkaa  y :«  a;  a  b  a  proeaaa  tkat  tiat  aaaigaa  a  to 
y  aad  tkaa  proeaad  to  patiotm  a. 

Coaditioaal: 

Ifai,...y)i  anpraeaaaeaaadotfM^  aiecoa- 
a 

ditiaaa,  tkaa  -»  a^  b  a  proeem  tkat  aoa* 

datarauabticaily  ekooaaa  a  dbeetkiB  i  sack  tkat 
Ci  b  traa  aad  tkaa  piocaada  to  perform  a^,  for 
aome  i,  i  w  1,...,*. 

ParalbL 

If  at,  a!i  are  two  ptoeaaaaa  aad  two  dia- 
joiat  a^  of  data  vaiiablaa,  tkaa 
[oaa  y^;ai  ||awa  i^;ar|  b  a  proeaaa  tkat  par* 
fonaa  at  aad  aj  ia  paraUaL  Tka  awa  doel^ 
ratiaaa  partitioa  tka  availabb  rariablea  iato  two 
rata  aaaodatiay  witk  aack  proeaaa  tka  sat  of  rari- 
ables  it  b  allowed  to  aiodil^. 

Data  Variabbs  PaclaiatioB: 

If  a  b  a  proeem  tkaa  so  b  new  f;  a,  daclatiac 
a  sat  of  aaw  vatiablas  g  aad  tkaa  proeaadiag  to 
perform  a. 

Piocam  Daclaratioa  aad  Activattoa;  If  F  b  a  proeam 
variabb  aad  D  aprocam  (body)  tkaa  |F  taken  P  m  D|  b 
a  proeem  tkat  beyioa  to  perform  P  a^  recarsively  reac¬ 
tivate  B  wkeaevar  b  oieets  a  call  to  P.  Note  tkat  oar  re- 
earsiva  procesaes  do  aot  adoiit  parameters,  aad  abo  aavar 
retan  from  a  ealL 


the  amiablas,  aot  locally  daclatad  fat  r,  wUA  r  aaqr  mod* 
iftr. 

Ghaa  a  coraplsta  proeam  we  ddae  for  aack  coo- 
stitaeat  sabprocem  y,  tka  sat  aMd(y)  wkiek  b  tka  set 
of  variabbs  that  y  aetaally  modilm  or  daelaras  oavaiaf . 

Tkb  b  delaad  by  the  folkariac  aqaathwa: 

aiod  (mi<)s  # 

BMd  (aall  P)  w  modlB)  wkaa  the  coll  F  b 
foataiaad  aritkia  a  F  «  B  daclaratioa. 
mod  (dbyta)  smodlw) 

■od  (y :»  a;  r)  »mod(r)  U  {y} 

-*  »<!)  ■  U 

isl 

mod  (awa  g;  r)  »aaod(r)  u  (g) 
mod  (vi  II  as)  wmodlri)  U  ai^(si) 
mod  (aawKa)  «mod(r)  -  {f} 

Bud  (F  ttkanPm  B)  «aiod(B) 

Thaoa  aqaatioBs  are  rscaraiva,  so  wa  look  fat  their 
mtamsal  sdatioa. 

Wa  auy  aow  dedpa  for  aa^  tebprocam  y  tka  sat 
awas(y),  wkkk  b  tka  sat  of  variabbs  tkat  tka  cootaxt  ia 
whi^  y  occars  haa  doelatad  ao  owaed  by  y.  The  eompw- 
tatioe  at  tkasa  sab  proeaada  ia  a  topnlowB  fmhioa. 

Ify-sbt>,rory  ■  |y  :>  a;  r),  tkaa 
owBs(r)  wow^y) 

Ky«(JIei  “►»<!,  them 

owBs(r()  wowBs(y)  for  aack  i  w 
If  y  w  (oam  ti  ||  oam  p;  *s|,  tkaa  wa  raqaim  tkat 
owBa(y)  s  9*  u  9*  aad  dataa 
aana(wi)  >  9*.  for  i  ■  1.3 
Ify  w  ?ia»  g;r,  tkaa 

owBs(y)  3owaa(y)  U  {f}. 

If  y  3  |F  wkara  P  m  B),  tkaa 

owbs(F)  3  ow^B)  3  owas(y)  u 
(J  owaa(ealfF) 
wayce 

Tkb  dadaitioa  b  agaia  recotsiva  aas  we  look  for  the 
miaiaial  solatioa. 

A  complete  proeem  awa  l;y  b  well  fotamd  ifr 

a)  No  daclaratioa  of  the  form  turn  g  fkfls  oadar  the 
scope  of  aaother  daclaratioa  for  soam  variabb  ia  g. 
Violatioaa  of  tkb  eoaditioa  eaa  always  be  corrsetad 
by  raaaadag. 

b)  Every  eaU  P  proeem  occars  witkia  the  body  of  a 
deeiaratfam  for  F. 

e)  For  every  sabprocem  » ia  y  (mod  (r))  S  omna(r). 

d)  All  the  free  variabba  ia  y  are  coataiaad  ia  I. 

Wa  aext  daiaa  oparatioaal  saaiaaties  for  tkb  laa* 
goage.  We  aasooia  that  sack  sobprocaos  wUkia  the  eooi* 
plate  proceas  awa  i;y  b  oaiqa^  ideatiflabb.  We  da> 
lae  a  labelled  traasitioa  relatka  reprasaatiaf  tka  poaaibb 


A  eamplete  proeem  will  have  tka  gaaaral  form 
oam  9;  r,  where  the  preeadiag  awa  daclaratioa  idaatiSm 


traBsfonnatioiu  tli»t  cu  b«  effected  ia  one  eomputntioD 
•tep.  Annine  n  set  of  states  5,  each  of  which  is  a  mappiaf 
from  the  carrently  declared  variables  to  their  values.  A 
is  a  pair  <»,«'>  consiating  <ff  a  process  t 
and  a  state  w  €  5. 

For  S’  =  |sh^  ;p|  or  n  =  [own  y  ;p|, 

<»,»>  -*  <fi,9> 

For  »  =  1»  :=  e  ;  p|, 

<w,o>  -►  <p,(w;y:w(e))> 

where  (w;y:w(e))  denotes  the  state  obtained  from  w  bjr 
assigning  the  value  of  e  evaluated  at  w  to  y. 

k 

For  X  =  I. Pi], 

~x 

<x,a>  ->  <Pi,o> 

for  each  i  =  1, . . . ,  h  such  that  <r(e,-)  =  T. 

For  »  =  [new  y  ;  p], 

<x,(r>  ^  <fif,  (w;y':J.)> 

where  p*  and  y*  are  obtained  from  p  and  y  by  systemat¬ 
ically  renaming  all  the  variables  in  y  that  are  ia  conflict 
with  the  currently  declared  variables,  Le.  the  current  do¬ 
main  of  9.  Again  (w;y':  J.)  denotes  the  state  obtained 
from  9  by  augmenting  the  domain  of  w  by  and  assign¬ 
ing  to  them  the  undeflned  value  J.. 

For  r  =  |pi  II  Ps|.  we  have 

<r,9>  -  <p',  ||pi  ,  <r'> 

for  each  transition  <pi,w>  ^  <p'|,p'>,  and 
<T,<r>^<p,  llpi  ,  9‘> 

for  each  transition  <ps,7>  ^  <fllf,9'> 

For  T  =  |P  where  F  «  B|  , 

<X,9>  ->  <B,9> 

For  X  =  exU  P,  appearing  within  the  body  F  of  a 

declaratioa  P  ^  B  , 

* 

<X,9>  -►  <B,9>. 

If  <x,9>  ^  <y',y>  for  some  r'.w',  then  we  sty 
that  the  label  (process)  A  is  euMei  in  the  conflgnratioa 

<X,9>. 

An  execution  sequence  corresponding  to  the  initial 
conflguration  <s’o,7o>  is  a  labelled  transition  sequence: 

.  Ao  A, 

5:  <Xo,9o>  -»  <Xi,9i> 

such  that: 

a)  Every  transition  appearing  in  5  is  justifled  by  the 
deflnition  above. 

b)  The  sequence  5  is  mammal,  i.e.,  it  is  either  inflnite 
or  terminates  in  a  conflguration  <Xk,9i,>  on  which 
no  subprocess  of  Xk  is  enabled. 


c)  The  sequence  S  is  wesdcly  fair.  This  means  that  we 
exclude  inflnite  sequences  in  which  for  some  A  and 
i  >  0,  A  b  continuously  enabled  beyond  <Xi,w,> 
but  never  taken,  i.e.,  A  b  enabled  in  each  <Xj,9}>, 
j  >  i,  but  for  all  y  >  Xj  /  A. 

We  deflne  Si,  the  set  of  Z-states,  as  the  set  of  all 
states  whose  domain  b  x.  Let  x  s  |own  Z;  p|  be  a  com¬ 
plete  process,  and  »o  ^  Si.  K  behxxior  of  x  on  So  b  a 
Unite  or  inflnite  sequence  of  Z-states: 

such  that  there  exbts  an  execution  sequence: 

Ao  Ai 

S:<xo,9o>  -*  <xi,9i> 

with  To  =  r  and  $i  =  9,  |r,  Le.,  9,  restricted  to  the 
domain  Z,  for  each  •  =  0, 1, . . .. 

Thb  deflnition  of  behavior  b  still  too  detailed  and 
may  contain  redundant  detaib  such  as  stuttering.  Conse¬ 
quently,  we  deflne  the  notion  of  a  reitued  iekamor  which 
eliminates  stuttering  altogether.  A  reduced  behavior  cor¬ 
responding  to  a  complete  process  x  and  an  initial  state  so, 
b  a  flnite  or  inflnite  sequence  of  a-states  which  b  obtain¬ 
able  from  a  behavior  of  x  on  Sq  by  deleting  all  consecutive 
duplicates.  Obviously  such  a  deletion  may  transform  infl¬ 
nite  behaviors  into  flnite  reduced  behaviors.  Let  F(x,  sq) 
be  the  set  of  all  reduced  behaviors  of  x  on  to-  Then  the 
operational  semantics  we  assign  to  a  complete  process  x  b 
a  mapping  from  initial  states  to  reduced  behaviors  given 
by: 

Ol£x])  *  Aso.B(x,ao) 

Thb  definition  leads  directly  to  a  deflnition  of  an 
induced  observational  congruence  given  by: 

The  processes  x  and  p  are  openUionxUf  eonyraenf, 
X  ~  p  iff  for  every  context  (?(•) 

(1)  C(x)  b  a  well  formed  complete  process  iff  (7(p)  b. 

(2)  In  the  case  that  both  C{x)  and  C(p)  are  well  formed 
complete  processes,  0|](7(x)]]  =  0|[C(p)]]. 

As  an  example  of  thb  congruence  we  observe  that 

(re»<)  ~  I  DF  -»  skipj  ~  {P  where  P  c  P) 

We  may  now  reformulate  the  challenge  we  posed 
in  the  introduction  as:  Find  a  eixnpositionai  semantics 
which  b  fully  abstract  relative  to  the  operational  con¬ 
gruence  defined  above.  We  claim  that  the  real  temporal 
semantics  that  we  introduce  in  the  next  section  answers 
thb  challenge. 

A  Real  Temporal  Semantics 

Let  oara  Z;  xq  be  a  well  formed  aamplete  process.  Let 
as  associate  a  temporal  proposition  variable  Xi  with  each 


179 


ptOMW  VMtobb  Pi,  i »  1, ...  fc  defiled  in  To*  Alaoassaine 
thnt  we  hem  eompmted  (or  ench  snbpiocess  p  appearing  in 
nOt  ite  owneah^  aet  owiu(p)  determined  by  its  context. 

In  the  Mction  dealing  with  temporal  logic,  we  have 
delned  the  formnln  Ch(^)  thnt  marks  the  transition  point 
at  which  a  (onailn  y  changes  its  truth  value.  We  extend 
this  (ormain  to  maziTaehaage  in  a  data  variable  g  by: 

Ch(g)  s  3u.Sise(g  s  u) 

This  marks  the  point  o(  a  change  from  g  H  to  g  s  «. 

We  also  defae  the  ^ng  /ermala  fat  g: 

i(g)  ®  ->Ch(g). 

The  temporal  semantics  o(  a  process  r,  denoted  by 
is  a  temporal  formula  that  characterises  its  behavior  in 
an  abstract  wsgr.  In  the  foUowiag  definitions  we  use  the 
abbreviation  i  i(owns(w))  to  denote  that  all  the  vari¬ 
ables  owned  by  r  are  not  presently  changed.  We  provide 
one  cianse  of  the  definition  (or  each  type  o(  subprocess: 

e  Qmdl  s  I A  9 1 

This  implies  that  the  main  effect  o(  the  process  rest  u 
to  preserve  lorever  the  values  of  variables  it  owns. 

e 

where  Xt  is  the  proposition  variable  we  have  associated 
with  the  process  variable  Pi. 

•  Dff  “  ® 

I A  3u(i{i  (t  A  («  a  e)  A  til  {(g  »  «)  A  i(owns(r)  -  g)A 

This  formula  identifies  a  first  point  in  which  e  is  eval¬ 
uated,  and  then  a  second  point  at  which  g  is  assigned  the 
obtained  value  while  all  the  other  variables  owned  by  w 
ate  stiU  preserved. 

•  a  Cy  pj  * 

a  * 

I A  {(  9l  ^  9^->CyJ  V  V  •«(«>  A  Oftl) 

jal  /=» 

This  defiaitioa  considers  the  possibility  o(  deadlock 
at  w  U  each  condition  is  infinitely  many  times  false,  the 
other  possibility  is  the  identification  of  a  true  cy  followed 
by  the  execution  of  py. 

•  II  PsH  -  Qpill  A  Qpill- 

We  consider  the  simplicity  of  this  clause  an  important 
feature  that  may  well  justify  the  complexity  of  the  other 
clauses. 

o  Qnev  =  I A  ^  /\  ffl  i(g)^  A  3l(ili|]Ji^) 

'r€owas(r)nT  ' 

The  main  effect  of  the  declaration  of  new  variables  is 
expressed  by  the  existential  quantification  over  the  newly 
introduced  variables.  A  secondary  effect  is  that  all  the 
variables  that  v  owns  but  have  been  cosered  or  redeclared 


in  X,  Le.,  variables  in  owas(w)  n  X,  will  never  be  modified 
again.  This  is  because  any  reference  made  by  p  to  one 
of  these  variables  is  interpreted  as  addressing  the  newly 
declared  variable  of  that  name. 

•  |II»<  where  Pi  e.  B.])  =  3«.i/X<lill+(Ch(«)  A 

In  principle,  the  natural  definition  we  would  expect 
for  proceu  recursion  is: 

pj:.iiU+pfiJi. 

However,  as  we  explained  in  the  introduction,  if  B  con¬ 
tains  an  unguarded  path,  Le.,  a  path  with  no  change  in 
the  values  of  variables,  from  P  to  call  P,  the  maximal 
fixpoiat  of  the  nahre  equation  will  include  undesirable  be¬ 
haviors.  To  ensure  that  all  paths  to  Xi  in  |[B]|  will  contain 
a  change,  we  impose  an  external  clock  g  whi^  is  required 
to  change  at  least  once  on  each  recursion.  By  existentially 
quantifying  over  it,  we  abstract  away  any  particular  tea- 
tares  that  may  be  associated  with  a  specific  clock. 

Because  of  space  limitations  we  present  the  main  the¬ 
orem  of  thU  paper  without  a  proof.  A  detailed  proof  will 
be  contained  in  a  technical  report  presenting  a  fuller  ver¬ 
sion  of  the  paper. 

jOffilSB 

The  real  temporal  semantics  presented  in  this  section 
»  fhibr  abstract  with  respect  to  the  relation  of  operational 
congruence. 

TLR  As  a  Working  Tool 

The  complex  formulae  appearing  in  the  definition  of 
the  temporal  semantics  of  processes  msgr  have  created 
the  impression  that  TLR  is  a  complicated  formalism  to 
wotit  with.  This  imptessioa  is  najnstified,  and  the  ap¬ 
parent  complexity  should  be  attributed  to  the  efforts  of 
constructing  a  compositional  semantics  of  concurrent  pro¬ 
cesses.  In  fact,  for  actual  reasoning  about  programs,  TLR 
b  quite  comparable  to  iateger>based  temporal  logic,  and 
the  added  feature  of  full  abstractness  makes  it  an  attrac¬ 
tive  alternative. 

Consider  for  example  the  following  process: 
r.  own  »;  P  where  P  <=  j*  :=  *  + 1;  P] 

An  obvious  property  of  thb  process  b  expressed  by 
the  formula  (u  >  0)  -*  9  (x  >  0).  Let  p  denote  x  >  0. 
In  the  integer-based  TL  we  establbh  the  conditional  in¬ 
variance  of  p,  Le.,  that  once  it  holds  it  b  preserved  for¬ 
ever,  by  showing  that  all  the  atomic  actions  of  u  preserve 
iP.  Here  we  do  something  similar.  First,  we  observe  that 
after  some  simplifications  (]ir]|  =  9  where 

0:  i/j:.3ul{x  =  u)a+(x  =  n  -h  l)a+I(x  *  u  + 1)  A  xii 

We  have  eliminated  in  thb  expression  the  external  clock 
g,  since  the  process  itself  guarantees  a  change  on  each 


itentioa.  Thn  elimination  can  be  fonnalljr  jnstiAed.  Ob- 
Yionsty  9  satiales  its  equation: 

1.  e  s  3«|(a  =  «)a+(» =H+ i)a+|(»  = « + 1)  a  ej) 

EVom  which  it  is  not  difficult  to  establish: 

2.  0Ap-*  {fpli+[Ch(*)ApU+(0  A(p)]} 

This  can  ^  interpnied  as  showing  that  0  A  ^  sat¬ 
isfies  the  equation 

r  -  »»a+lCh(a)  A  <pU*Y\ 

Consequently,  using  rule  R3  and  the  existential  ver¬ 
sion  of  R4  we  obtain 

s.  0A»»-3*.i/Kipa+(ch(»)A«»ii+y]i 

An  important  theomm  of  TLR  is: 

4.  {3x.i/y|^a+[Gh(a)  A  ifiU+Y\\}  =  (y»  A  B  (p) 

We  thus  obtsiin 

5.  0  A  p  — *  ffl  ^ 

Or  equivalently 

6.  IsJ  -*  -*  ffl  <fi\ 

Using  the  notation  of  (BKP1|  this  is  representable 

as 

®(p} 

wUch  means  that  all  executions  of  t  satisfy  the  tem¬ 
poral  property  Sp. 

Since  the  only  step  in  this  proof  that  depends  on  the 
specific  T  and  p  considered,  was  the  derivation  of  2  from 
1,  we  can  condense  all  the  others  into  a  derived  proof 
principle. 

Let  X  be  a  process  of  the  form: 

x:  own  g;  P  where  P  <s  B 

Denote  by  the  temporal  semantics  of  B,  where 

dependence  on  the  propositional  variable  X  has  been 
made  explicit.  Then  we  have  the  following  rule: 


0  2l[B]l(0)  I-  0Ay->{y>a-*-[Ch(g)Aya-»-(0Ay)|} 
lx]{(p-»  fflip} 

A  slightly  more  general  rule  is  seeded  for  the  case  that  B 
is  not  guarded. 

Inspecting  the  passage  from  1  to  3  above,  we  see  that 
what  is  needed  is  establishing  that  p  is  preserved  along 
any  computation  path  in  B  leading  to  any  cell  P  appear¬ 
ing  within  B.  We  also  observe  that  it  is  very  similw  to 
the  rule  PROG  handling  recursioa  in  [BKPl|. 

It  is  clear  that  many  more  derived  rules  of  this  hind 
should  be  developed  before  we  can  use  TLR  with  the  same 
ease  and  convenieace  now  attained  in  the  integer-based 
TL.  However,  we  do  feel  confident  that  such  high-levd 
rules  can  and  will  be  developed. 


An  Example  of  Specification  and  Verification 

For  a  more  comprehensive  example  we  consider  Pe¬ 
terson  algorithm  for  mutual  exclusion  ({Pe]). 

In  a  subtly  extended  version  of  our  programming 
language,  the  algorithm  can  be  presented  as: 

P:  own  gi,gs,(,ini,int; 

(tri.M.f.'tti.'ns)  :=  (F,F,F,F,F);|pi  ||  ps] 
where 

pii  own  fo,  mi,  it;  [Pi  where  Pi  «  Bij 

pt:  own  Vs,  ins,  T  < ;  |Fs  where  Ps  ^  Ba| 

Bi:[(r^  caUPi  ) 

□ 

(T  Pi  :=  T;  I  :*  P  ; 

|<Ji  where  Qi  <s  Ci])) 

Bs:  |(r  aM  P,) 

□ 

(r  -  g,  :=  T;  I  :=  T  ; 

l^s  where  Qt  <=  G,))) 

Gi:[(gs  Alt  -»  eatt  Q,) 

□ 

(->gi  V  t  —  ini  :=  T  ;  ini  :=  F  : 
gi  :=  P  :  eaU  Pi)J 

Gs:|(giA-.t  -♦  eaUQt) 

□ 

(->gi  V  -it  -►  ins  T  ;  »ns  :*  P  ; 
g*:»P;  ca«Ps)l 

The  extensioa  we  introduced  to  our  ptogmmming 
language  is  that  both  pi  and  pt  are  allowed  to  modify 
t,  but  each  in  its  own  way.  The  notation  i  t  means  that 
Pi  and  its  snbprooesses  ace  only  allowed  to  set  t  to  P, 
while  PS  is  only  allowed  to  set  t  to  T. 

As  a  result  the  •  formula  for  p|  and  ps  should  read 
respectively: 

ii  =  -iGhlgi)  A  -iGhiini)  A  -<  Fall  (t) 

■s  =  -iGhjgs)  A  -iGhiins)  A  Rise  (t) 

Writing  the  semantics  of  the  two  processes,  it  is  pos¬ 
sible  to  infer  from  them  the  following  modular  specifica¬ 
tions: 

jPiK  □(•"i  ®i)  ^  Olmi  A  0s  -*  I)} 

[piK  □(•"s  ®s)  A  olins  A  0s  -•  -*0} 

where  0|  and  0s  characterise  the  history  of  a  point  in 
which  Pi  and  ps  are  ready  to  enter  their  critical  section 
(signified  by  setting  ini  und  ins  to  T). 

0|:  ii  A  A  gi) 

0s:  H  A  is5((  A  gs) 


It  is  easy  to  see  that  when  we  combine  these  speciC* 
cations  we  can  obtain  (by  contradiction): 

(Pi  II  Pi|  {  a^(int  A  ins)} 
which  establishes  mutual  exclusion. 

Conclusions 

The  teal-numbers  based  model  and  its  aasociated  teal 
temporal  logic,  seem  to  achieve  a  hi^er  degree  of  ab¬ 
stractness  than  the  one  provided  by  the  integers-based 
model.  The  price  does  not  appear  to  be  excessive  since 
the  basic  structure  of  temporal  formulae,  specillcations 
and  proofs  is  not  significantly  altered.  The  gain  is  ob¬ 
vious  since  it  provides  a  much  cleaner  and  mote  natural 
semantics.  This  becomes  even  more  apparent  when  illns- 
trated  on  a  communication  baaed  process  language  such 
as  CCS.  It  can  be  shown  that  the  real  temporal  seman¬ 
tics  of  CCS  attains  the  same  standard  of  abstractness  set 
up  in  the  algebraic  treatment  of  CCS  and  its  derivatives 
(1M21,  [HMl,  (dNHl). 

Acknowledgements 

We  would  like  to  gratefully  acknowledge  the  sup¬ 
port  given  by  the  Weizmann  Institute  to  the  visit  of  the 
first  two  authors.  Many  thanks  are  due  to  L.  Lamport, 
M.  Chandi  and  J.  Misra  tor  most  illuminating  discussions, 
to  A.  Emerson  and  L.  Znck  tor  friendly  help  and  advice, 
to  the  participants  of  E.W.  Dijkstra’s  Tuesday  afternoon 
club  for  many  helpful  comments,  and  last  but  not  least  to 
C.  Weintranb  for  her  most  speedy  and  efficient  typing. 

References 

(BKPlj  Barringer,  H.,  Kuiper,  R.,  Pnndi,  A.  —  Now 
You  May  Compose  Temporal  Logic  Specifica¬ 
tions,  16th  STOC  (19M)  51-63. 

|BKP2|  Barringer,  H.,  Kuiper,  R.,  Pnueli,  A.  —  A 
Compositional  Temporal  Approach  to  a  CSP- 
like  Language,  Proc.  of  IFIP  Conference:  The 
Role  of  Abstract  Models  in  Information  Pro¬ 
cessing,  Vienna  (1985). 

[dBMOj  de  Bakker,  J.W.,  Meyer,  J.-J.Ch.,  Olderog, 
E.-R.  —  Infinite  Streams  and  Finite  Obser¬ 
vations  in  the  Semantics  of  Uniform  Concur¬ 
rency,  12th  ICALP  (1985)  149-157. 

|Br|  Brookes,  S.D.  —  A  Semantics  and  Proof  Sys¬ 
tem  for  Communicating  Processes,  2nd  Work¬ 
shop  on  Logics  of  Programs,  LJfCS  164  (1983) 
68-86. 

(Bn|  Burgess,  JJ*.  —  Basic  Tense  Logic,  in  D.  Gab- 
bay  and  F.  Gnenthner  (eds.)  Handbook  of 
Philosophical  Logic,  Vol  II,  D.  Reidel  Publish¬ 
ers  (1984)  89-133. 

|CE]  Clarke,  E.M.,  Emerson,  E.A.  —  Design  and 
Synthesis  of  Synchronization  Skeletons  Using 


Branching  Tiine  Temporal  Logie,  1st  Work¬ 
shop  on  Logie  of  Programs,  LJfCS  131  (1981) 
52-71. 

|CM|  Clarke,  E>4.,  NGshra,  B.  —  Automatic  Veri¬ 
fication  of  Asynchronous  Circuits,  2nd  Worit- 
shop  on  Logics  of  Programs,  LJfCS  194  (1983) 
101-115. 

(HM]  Henaesy,  M.C3.,  Milner,  R.  —  Algebraic  laws 
tor  Nondetenninism  and  Concurrency,  JACli 
St,  1  (1985)  137-161. 

|HO]  Hailpem,  B.,  Owicki,  S.  —  Modular  Verifica¬ 
tion  of  Computer  Communication  Protocols, 
UUIS  IVane.  on  CommuHiettiont,  COM-31, 
1  (1983)  56-68. 

[HP|  Heanesy,  M.C.B.,  Plotkia,  GJ).  —  Pull  Ab¬ 
straction  for  a  Simple  Parallel  Program¬ 
ming  Language,  Mathematical  Foundations  of 
Computer  Science,  LNCS,  74,  Springer  Verlag 
(1979)  108-120. 

(J|  Jones,  C.B.  —  Software  Developmeat:  A  Rig- 

otons  Approach,  Prentice  Hall  International 
Series  in  Compnter  Science. 

|Lal|  Lamport,  L.  —  What  Good  is  Temporal 
Logic?,  Proc.  IFIP  Congress,  Paris  (1983) 
657-668. 

(La2|  Lamport,  L.  —  Specifying  Concurrent  Pnv 
gram  Modules,  ACli  TOPLAS  5,  2  (1983) 
190-222. 

JLP]  Lichtensteia,  O.,  Pnueli,  A.  —  A  Deductive 
System  for  the  Tsmporal  Logic  of  the  Reals, 
Technical  Report,  Weizmann  Institute  of  Sci¬ 
ence,  in  preparation. 

[LPZ|  Lichtenstein,  O.,  Pnueli,  A.,  Znck,  L.  —  The 
Glory  of  the  Past,  Logics  of  Programs,  LNCS, 
193,  Springer  Verlag  (1985)  196-218. 

IMl]  Milner,  R.  —  Fully  Abstract  Models  of 
Typed  T*Calculi,  Theoretic  Computer  Science 
(1977). 

[M2|  Milner,  R.  —  A  Calculus  of  Communicating 
Systems,  LNCS  92  (1980). 

(MPl)  Manna,  Z.,  Pnueli,  A.  —  Verification  of  Con- 
enrrent  Programs;  The  Temporal  Frameworic, 
in  Correctness  Problem  in  Compnter  Science, 
R.S.  Boyer,  J.S.  Moore  (eds.)  Academic  Press 
(1982)  215-273. 

(MP2|  Manna,  Z.,  Pnueli,  A.  —  How  to  Cook  a  Tem¬ 
poral  Proof  System  for  Your  Pet  Language, 
10th  POPL  (1983)  141-154. 

{MP3j  Manna,  Z.,  Pnueli,  A.  —  Verification  of  Con¬ 
current  Programs:  A  Temporal  Proof  Sys¬ 
tem,  Foundations  of  Compnter  Science  IV, 
Distributed  Systems,  fifatkematteaf  Centn 
TVaets,  159,  Amsterdam  (1983)  163-255. 


182 


I 


rmmmnmtmtfnif* 


{NGO] 


de  NkoU,  S.,  Henneajr,  M.CM.  —  Ttitiaf 
E<iaivdenee  for  ProcesMt,  10th  ICALP,  IMCS 
1S4  (1983). 

NftBjren,  V.,  Griea,  D.,  Owicld,  S.  —  A  Model 
ud  Temporal  Proof  Sjntem  for  Nctworka  of 
Ptoeemea,  13th  POPL  (1085). 

Owieki,  S.,  Lamport,  L.  —  Provia^  Liyeaeae 
Ptopertiee  of  Coacarreat  Progmae,  ACM 
TOPLAS  4,  8  (1983)  465-496. 

Petenoa  GX. — Mytha  aboat  the  Mataal 
ehuiaa  Problem,  Iti/ormMitm  ProMttimi  ^ 
Ur$  13,3(1981)  115-118. 

Paaeli,  A.  ~  The  Temporal  Semaatiea  oiCon- 
eaneat  Programa,  Tkmretietl  Comfnitr  Sei- 
nee  18  (1981)  45-80. 

Paaeli,  A.  —  la  Ttaaaitioe  from  Global  to 
Modalar  Temporal  Reaaoaiag  Aboat  Pro- 
grama,  Proe  of  NATO  School  os  Logie 
aad  Modela  for  Veiileatioa  aad  Speeiieatioa 
of  Coacarreat  Systeoia,  La  CoD^SarXoap 
(1984). 

Schararta,  EX.,  Meffiar-Smith,  PXL  —  Ihm- 
poral  Logie  Speciieatioaa  cf  Diatribated  Sya- 
tema,  3ad  lateraatioaal  Coaforeace  oa  Dfo- 
tribated  Compatiag  Syatema,  Pada  (1981). 


.vV-' 

Systolic  Algorithms  as  Programs 


K.  Mani  Chandy 
J.  Misra 


Department  of  Computer  Sciences 
University  of  Texas 
Austin,  Texas  78712 


20  December  1085 


Abstract 


We  represent  a  systolic  algorithm  by  a  program  consisting  of  one  multiple  assignment 
statement  that  captures  its  operation  and  data  flow.  We  use  invariants  to  develop  such 
programs  systematically.  We  present  two  examples,  matrix  multiplication  and  LU- 
decom position  of  a  matrix. 


This  work  was  supported  in  part  by  a  grant  from  the  Office  of  Naval  Research  under 
grant  N00014-85-K-(X)57. 


»  ■(  it; 


mmm 


i 


Table  of  Contents 

1.  Introduction  1 

2.  Programs  and  Systolic  Algorithms  1 

2.1.  Programs  1 

2.2.  Systolic  Algorithms  2 

2.3.  Representing  Systolic  Algorithms  by  Programs  2 

2.4.  Program  Development  4 

2.5.  Notation  4 

3.  Band  Matrix  Multiplication  5 

3.1.  Initial  Conditions  6 

3.2.  Preserving  the  Invariant  7 

3.3.  Determining  Array  Size  and  Number  of  Steps  8 

4.  L-U  Decomposition  of  a  Band  Matnx  9 

4.1.  Initial  Conditions  11 

4.2.  Preserving  the  Invariant  11 

4.2.1.  Preserving  the  first  condition  in  the  invariant  11 

4.2.2.  Preserving  the  second  condition  in  the  invariant  13 

4.2.3.  Preserving  the  third  condition  in  the  invariant  13 

5.  Discussion  14 

6.  References  15 


-  f  V 


i 


I 

I 


I 


c-^ 


•• 

11 

List  of  Figures 

Figure  2-1:  Shift  Register  3 

Figure  3-1:  Relevant  portion  of  a  systolic  array  for  multiplications  of  band  10 
matrices  with  BA  =  —3,TA  =  2,  BB  =  —  1,  2B  =  1 


i 

i 


i 


i 

i 


1.  Introduction 

Systolic  algorithms  [1]  are  synchronous,  parallel  programs  executing  on  a  number 
of  nodes  (machines)  interconnected  by  a  set  of  lines.  Systolic  algorithms  are  often 
described  by  pictures  of  nodes  and  lines  and  descriptions  of  processing  at  each  node  in 
the  picture  and  data  movement  between  nodes.  A  pictorial  representation  of  an  algo¬ 
rithm  suggests  that  it  can  be  implemented  on  a  VLSI  chip;  however,  pictures  do  not 
lend  themselves  readily  to  proofs,  of  correctness. 

We  view  systolic  algorithms  as  programs  and  apply  traditional  program  develop¬ 
ment  techniques,  based  on  invariants,  in  their  design.  In  this  paper  we  carry  out  the 
development  of  algorithms  for  matrix  multiplication  of  band  matrices  and  L-U  decom¬ 
position  of  a  band  matrices.  Both  algorithms  are  from  Kung  and  Leiserson  [l]. 

We  are  far  from  proposing  a  VLSI  design  methodology:  We  do  not  consider  many 
of  the  limitations  in  a  physical  realization;  these  are  concerns  for  a  later  stage  in  the 
design.  However,  our  use  of  traditional  program  development  techniques  seems  to  yield 
designs  for  which  data  flow  rates,  initial  and  boundary  conditions—  the  tedious  details— 
are  derived  mechanically. 

A  great  deal  of  work  has  been  done  on  systematic  methods  for  developing  systolic 
algorithms  [5,6,7,8].  These  methods  are  largely  based  on  transforming  sets  of  equations 
into  forms  suitable  for  implementation  on  systolic  hardware.  The  primary  contribution 
of  this  paper  is  to  represent  systolic  algorithms  by  programs  derived  from  invariants. 
Each  program  consists  of  one  multiple  assignment  statement.  Our  goal  is  to  apply 
traditional  programming  techniques  in  developing  systolic  algorithms. 

2.  Programs  and  Systolic  Algorithms 
2.1.  Programs 

Our  programs  have  multiple  assignment  statements.  A  multiple  assignment 
statement  of  the  form, 

X,  y  :=  /(x,  y),  y(x,  y) 

assigns  /(x y ')  and  y(x ',  y ')  to  x,  y  respectively  where  x ',  y '  are  the  values  of  x,  y  prior 
to  the  execution  of  the  statement.  We  allow  the  right  sides  of  assignments  to  be  con¬ 
ditional  expressions.  For  instance,  we  represent 


A  program  consists  of  declarations  of  its  variables  and  their  initial  values  and  one 
multiple  assignment  statement.  The  program  execution  consists  of  executing  this  state¬ 
ment  repeatedly  forever.  Non-terminating  execution  is  convenient  for  reasoning; 
however,  the  program  may  be  stopped  when  the  left  and  right  sides  of  the  statement 
are  equal  in  value,  becatise  no  further  change  in  variable  values  is  then  possible. 
Restricting  a  program  to  one  multiple  asMgnment  may  seem  too  restrictive.  However, 
our  experience  suggests  that  such  programs  are  adequate  for  representing  systolic  al¬ 
gorithms.  A  multiple  assignment  can  be  thought  of  as  a  synchronous  computation  — 
computing  all  expressions  on  the  right  side  synchronously  —  and  hence,  captures  the  es¬ 
sence  of  systolic  computations.  Elsewhere  [2,3,4]  ,  we  have  shown  that  a  set  of  multiple 
assignment  statements  executed  in  a  non-deterministic  fashion  represents  different  kinds 
of  parallel  and  distributed  computations;  for  this  paper,  we  do  not  require  this 
generality. 

2.2.  Systolic  Algorithms 

A  systolic  algorithm  is  executed  on  a  collection  of  nodes,  and  directed  lines  con¬ 
necting  pairs  of  nodes.  A  step  of  the  computation  consists  of  some  nodes  (1)  reading 
values  from  (some  or  all  of)  their  input  lines,  (2)  computing  and  (3)  writing  values  to 
(some  or  all  of)  their  output  lines.  A  value  written  to  a  line  is  available  at  the  next  step 
at  the  node  to  which  the  line  is  directed.  We  may  represent  local  data  at  a  node  by 
placing  the  data  on  lines  directed  from  the  node  to  itself. 

Systolic  algorithms  display  regular  structures:  there  are  only  a  few  kinds  of  nodes, 
and  interconnections  among  nodes  are  regular.  Furthermore,  in  many  cases,  systolic 
hardware  operates  in  a  pipelined  fashion. 

2.3.  Representing  Systolic  Algorithms  by  Programs 

We  represent  each  line  in  a  systolic  circuit  by  a  variable;  a  variable  value  at  any 
point  in  the  computation  is  the  value  on  the  corresponding  line.  Each  node  in  a  systolic 
circuit  is  represented  by  an  assignment  (in  the  multiple  assignment  statement).  A 
synchronous  step  in  the  systolic  algorithm  is  simulated  by  executing  a  multiple  assign¬ 
ment  statement:  it  assigns  new  values  to  certain  variables  based  on  current  values  of 
some  variables.  A  small  example  is  given  below. 

.  Example:  (Shift  Register) 

A  systolic  algorithm  for  a  shift  register  with  N  nodes  is  shown  pictorially  in  Figure 
2-1.  Every  node  transmits  the  value  from  its  input  line  to  its  output  line'TTi  every  step. 
Lines  are  numbered  as  shown  in  the  picture. 


Figure  2-1:  Shift  Register 


Let  x[t]  be  the  variable  associated  with  the  i‘^  line.  The  multiple  assignment 
statement  which  represents  the  operation  of  thb  algorithm  is,  (informally) 

for  all  t  in  0  to  N—  1::  {assign  in  parallel} 

x{i  +  1]  :=  x[i). 


We  will  write  this  as  (in  a  notation  to  be  introduced  later): 

(t  in  0..iV—  1:: 

II  x[i  +  1) :«  x(»J 

> 


Note  that  there  is  no  explicit  mention  in  the  program  about  data  movement.  Data 
items  move  within  the  array  by  being  assigned  to  different  array  elements,  but  our 
treatment  does  not  trace  the  movement  of  individual  data  items. 

A  multiple  assignment  statement  may  represent  an  algorithm  having  no  systolic 
realization.  For  instance,  a  line  value  is  read  by  exactly  one  node  in  a  systolic  algorithm 
but  a  variable  may  appear  in  the  right  hand  side  of  more  than  one  assignment  in  our 
program.  Similarly,  computation  at  a  node  usually  depends  only  on  a  few  input  line 
values  due  to  physical  constraints,  but  our  programs  allow  expressions  on  the  right  hand 
side  to  have  arbitrary  numbers  of  variables.  We  constrmn  our  programs  to  mirror  these 
limitations  of  systolic  hardware. 

Limited  fan-in,  fan-out:  Each  expression  on  the  right  hand  side  of  an  assignment 
has  a  bounded  number  of  variables.  This  bound  is  the  maximum  fan-in.  Each  variable 
appears  at  most  once  on  the  left  hand  side  of  an  assignment  and  at  most  once  on  the 
right  hand  side  of  an  assignment;  this  is  because  each  line  is  directed  from  one  node  on 
the  external  environment  to  one  node  on  the  external  environment. 


4 


Systolic  algorithms  typically  operate  on  arrays  of  data  items.  Systolic  algorithms 
require  that  the  speed  at  which  data  moves  through  the  circuit  be  independent  of  the 
index  of  the  data  items  (usually).  Hence,  we  propose: 

Linearity:  The  step  number  at  which  a  computation  is  done  is  usually  a  simple 
(e.g.,  linear  or  piecewise-linear)  function  of  data  indices. 

We  have  shown  the  correspondence  between  systolic  algorithms  and  a  special  kind 
of  program.  Henceforth,  we  deal  only  with  issues  of  developing  such  a  program  from  a 
specification. 

2.4.  Program  Development 

As  in  other  areas  of  programming,  an  invariant  is  a  central  concept  in  our  ap¬ 
proach  to  systolic  algorithms.  In  fact,  it  seems  that  the  program  design  task  is  almost 
over  once  a  suitable  invariant  is  found.  We  introduce  a  variable  t,  denoting  the  step 
number  {t  is  initially  0  and  is  increased  by  1  in  each  execution  of  the  statement)  and 
state  an  invariant  relating  various  data  items  and  t.  We  will  be  guided  by  the  limited 
fan-in-fan-out  and  linearity  requirements  in  postulating  an  invariant.  The  ffect  of 
statement  execution  is  to  preserve  the  invariant  when  t  is  increased  by  1. 

The  invariant  is  useful  in  deriving  initial  conditions  and  boundary  conditions. 
Determining  these  conditions  and  the  rate  of  data  flow  are  the  most  tedious  details  one 
has  to  contend  with;  invariants  seem  to  simplify  the  effort. 

2.5.  Notsttion 

We  use  II  to  break  up  a  multiple  assignment  statement  into  its  component  assign¬ 
ments  for  convenience  in  reading.  For  instance, 

X,  y  :=  y,  X 

is  equivalent  to 


x:=y  II  y:=x  . 


The  following  notation,  where  5  is  a  set  and  each  Q{i)  is  an  assignment  (or  mul¬ 
tiple  assignment): 

< » in  S  ::  ||  Q(i) ) 


denotes  a  statement  obtained  by  enumerating,  for  every  element  of  St^Q(i)  with  t 
replaced  by  that  element.  For  example  ( t  in  0..1  :  ||  X(t] :—  y[t]  )  is  equivalent  to 
II  Jf(0]  :=  YlO]  ||X(l]  :=y(l].  We  omit  5  when  it  is  clear  from  the  context.  The  state¬ 
ment. 


5 


X  :=  c  if  b 

is  to  be  interpreted  as 
X  ;=  e  if  6  ~  x  if  ->6. 

The  scope  of  if  will  be  shown  explicitly,  if  needed,  as  in  the  following. 

a?,  y  62)  * 

is  equivalent  to, 

X,  y  :=  Cj  if  6,  Cg  if  6 
and  also  equivalent  to, 

(x,  y  :=  Cj,  Cj)  if  6 

3.  Band  Matrix  Multiplication 

The  problem  is  to  compute 


where  A,  B  are  band  matrices  and  denotes  multiplication. 

We  have, 

y 

This  expression  cannot  be  used  directly  for  computing  C[t,^]  since  that  would  vio¬ 
late  the  limited  fan-in-fan-out  requirement.  Therefore,  we  define  as  in  [l]: 


fO,  ify<0 

C%k]  =  \  .  /  (1) 

l.-.ibl  +  A[xj]  X  B\J,k\x  if  J  >  0 

Equation  (1)  suggests  that  A[iJ\  and  will  be  multiplied  in  some  step.  Using  the 

linearity  criterion,  we  may  postulate  that  they  will  be  multiplied  in  a  step  which  is  a 
linear  function  of  ij,k.  If  this  linear  function  is  independent  of  one  of  arguments, 
say  t,  then  for  any  fixed  value  of  j,k,  A[i^  and  Blj,k],  will  be  multiplied  in  the  same 


6 


step  for  all  t;  that  is  Blj,k]  will  appear  in  more  than  one  computation  in  a  step,  thus 
violating  the  limited  fan-in-fan-out  requirement.  Hence,  we  may  assume  that  A[t,j|, 
B\J,k\  are  multiplied  in  a  step  that  is  a  nontrivial  linear  function  of  each  of  its  ar¬ 
guments  -  we  choose  the  simplest  such  function:  t  +  j  +  k. 

Since  are  band  matrices,  we  postulate  that  each  diagonal  (main,  subdiagonal 
or  superdiagonal)  is  pipelined.  Let  one  node  be  assigned  for  each  pair  of  diagonals  -  one 
from  A  and  one  from  B  -  to  carry  out  computations  on  element  pairs  from  these 
diagonals.  Element  A[iJ[  belongs  to  diagonal  (t  —  j)  of  A  and  B[j,k\  to  diagonal  {j  —  k) 
of  B;  hence  index  the  node  at  which  they  are  multiplied  by  (i  —  j,  j  —  k). 

Equation  (1)  suggests  that  A[t,j],  B[y,Ar],  [t,A;]  be  made  available  at  the  same 
time  at  some  node  and,  from  this  discussion,  that  node  is  (t  —  j,  j  —  k).  Therefore,  each 
node  {v,w)  has  three  input  lines  y|v,ti;]  and  Z[v,w],  along  which  A,B,C  respec¬ 

tively  are  pumped  into  it.  From  this  discussion,  we  have  the  following  invariant. 

Invariant :  i  —  i  +  j-\-k=^ 

[X[i  -  j,  j-k\=  A[i,j\  and, 

Y[i-j\j-k]  =  Bl,\k]  and, 

Z[i-j,j-k]^d-^[i,k]. 

1 

The  variables  tj,k,t  in  the  invariant  are  universally  quantified  over  all  integers;  ignore 
the  equations  corresponding  to  undefined  subscript  values  in  the  right  side. 

Our  design  task  is  nearly  complete!  We  merely  have  to  show  how  to  establish  the 
invariant  initially,  and  how  to  preserve  it  when  t  is  increased  by  1. 

3.1.  Initial  Conditions 

Initially,  let  t  be  0.  Then  for  any  %,j  with  k  =  — (t  +  j),  we  are  required  to  have, 
JCl*-i,t  +  2jl=AM. 


Similarly, 


Let  y  =  —  (*  +  Ar),  where  »  >  0,  A:  >  0.  Then,  j  <  0.  Hence, 


C<^-l[t,A:]=0. 


Substituting  —  (»  +  k)  for  j  in  the  invariant , 


a'r  r  *  j' 


Summarizing  the  initial  conditions, 


X[i  -  j,  i  +  2j]  =  A[t  j],  for  all  ij 
y[-2j- k,  i-  it]  =  B\J,k\,  for  all  j,k 
Z[2i  +  k,  — » —  2k]  =  0,  for  t  >  0,  it  >  0. 


3.2.  Preserving  the  Invariant 

We  show  how  to  preserve  the  invariant  when  t  is  increased  by  1.  First,  we 
simplify  the  notation  by  introducing, 

v  —  i  —  j  and  w  =  j—k. 

First  consider  the  data  item  From  the  invariant,  it  equals  X[v,u;|  at 

t  =  i  +  j+k.  It  must  equal  tw— ij  after  t  is  increased  by  1.  This  can  be  ac¬ 
complished  by  the  assignment, 

jr{v,  u;  —  1]  :=  X[v,tyj. 

Similarly,  we  get  the  assignments, 

y|t;  -I-  !,«;]  :=  y|v,«;]  and, 

Z|v  —  -I- 1]  :=  ^v,u;|  +  xy(v,ti;j. 


Note  that  these  steps  need  be  carried  out  only  for  t,ij,k  satisfying  t  =  i  +  j+  k,  i.e., 
f  =s  (i  —  j)  —  (y  —  k)  +  3j.  We  rewrite  this  condition  -  weakening  it  somewhat,  to 
eliminate  i,j,k  -  as  t  =  {v  —  w)  mod  3.  This  results  in  the  following  program. 


8 


Program  Pi  (for  multiplying  band  matrices} 
initially  : 


<  for  all  ij ::  X[i  -  j,  i  +  2j]  =  A(t  J]  > 

( for  all  j,k ::  y|  —  2j  —k,j—k]  =  ) 

( for  all  i,k Z\2i  +  ib,  —  t  —  2fc]  =  0  ) 


assign:  (  for  all  v,  w:: 

(II  := 

j|  Y(t; +!,«;]  := 

l,u;+ 1]  := 

II  t  := 


Z(t;,u;l  +  [v.tn]  X  Y(t;,to]  ) 

it  t  =  {v  —  w)  mod  3  ) 

t  +  1 


end  {FI} 

This  program  represents  a  systolic  array.  We  have  finished  a  large  part  of  the 
design.  What  remains  to  be  done  is  to  determine  the  size  of  the  systolic  array  and  the 
number  of  steps  required  to  complete  execution. 

3.3.  Determining  Array  Size  and  Number  of  Steps 

Program  FI  does  not  specify  the  dimensions  of  X,y,Z  nor  the  step  number  t,  up 
to  which  program  execution  should  continue.  These  parameters,  and  others,  can  be 
deduced  from  the  invariant  using  the  sizes  of  input  matrices  A,B  as  parameters. 

Let  BA,TA  (bottom  of  A,  top  of  A)  have  the  following  meaning:  A[i,j\  is  zero  un¬ 
less  BA  —  TA.  Likewise,  define  BBjTB  for  matrix  B.  The  multiplication  in 
program  F 1  yields  a  zero  if  X[v,tt;]  =  0  or  y|v,u;]  =  0.  Therefore,  we  may  restrict  to 
the  range  BA  <  v  <  TA  and  BB  <  ty  <  TB  for  computation  of  the  product.  Hence,  Z 
can  be  dimensioned  (BA— 1  ..  TA,  BB  ..  Other  assignments  merely  move 

the  elements  of  A  or  B;  this  corresponds  to  feeding  the  systolic  array  appropriate  ele¬ 
ments  of  A  and  B. 


Next,  we  determine  when  and  where  C\i,k],  for  any  given  i,k,  becomes  available. 
That  is,  we  want  to  find  T  and  v,w  such  that, 

{t^T)  ^  {Z[v,w\^C[i,k\). 


First  we  determine  j  such  that: 


(2) 


^  T.".  r  ^  ■ 


T  ^H'».  T^rf  u  ■ 


*  ¥  '"  rf  - 


9 


This  holds  when  A[*  j]  =  0  or  B[j^k\  =  0.  (A[*,j]  =  0  and  B[j,k\  =  0  if  j  exceeds  the 
number  of  columns  of  A.  To  eliminate  special  case  analysis  ,  we  assume  that  A,B  are 
augmented  with  suitable  number  of  zeros  for  larger  values  of  j.) 


I 


P! 


==  0»  3  ^  0,  if  i  —  j<  BA, 

B\J,k]  =  0,  fori  >  0,  if i-  k>TB. 


Hence  the  minimum  value  of  j  for  which  (2)  holds  is  j  *  given  by 
i  *  =  mtn(t  —  BA,  k  +  TB)  +  1 


I 


I 

1.M  * 

I 

I 


fJ: 


r> 


‘i': 


% 

i 

I 


From  the  invariant,  at  T=  i  +  j*  +  k. 

Note  that  in  case  —  BA  =  TB,  j*  =  Tnin{i,k)  +  TB  +  1.  Hence  the  systolic  array  has  a 
pleasing  diamond  structure  as  given  in  [l].  However,  for  arbitrary  BA,TB,  the  structure 
is  not  as  regular.  We  show  the  relevant  portion  (i.e.,  where  multiplication  is  done)  of  an 
arbitrary  systolic  array  in  figure  3-1. 

The  invariant  simplified  the  considerations  of  initial  and  boundary  conditions  and 
data  flow  rates.  In  this  particular  example,  we  imagined  that  all  the  elements  of 
matrices  A,B  are  initially  placed  on  certain  lines,  though  the  useful  work  (of 
multiplication)  is  performed  in  a  limited  region.  Now  we  consider  an  example,  L-U 
decomposition,  where  such  an  assumption  cannot  be  made;  in  fact,  the  goal  of  the  algo¬ 
rithm  is  to  compute  something  akin  to  A,B  from  C. 


4.  L-U  Decomposition  of  a  Band  Matrix 

Given  a  band  matrix  A,  its  L-U  decomposition  Is  a  pair  of  matrices  L  and  U  where 
L  is  a  lower  diagonal  matrix  with  I’s  on  diagonals  and  U  is  an  upper  diagonal  matrix, 
satisfying  the  following  equations.  (These  equations  are  from  [l]  with  indices  renamed 
and  renumbered  starting  from  0.) 


A%k]  = 

A(t,A:] 

Aj+%k\  = 

A%k]  -  L[iJ\  X  Ul3,k],  j>0 

ro,  if  t  <  j 

L[iJ\  = 

j  1,  ift 

^A%jyUl3,j],  if  i  >  j 

Figure  3-1:  Relevant  portion  of  a  systolic  array  for  multiplications  of  band 
matrices  with  BA  =  —3,TA  =  2,  BB  —  —  1,  7B  =  1 


UUA 


ro,  if  j>  k 

^A%k],\(j  < 


We  adopt  the  convention  that  for  i  <  0.  As  described  in  the  last  sec¬ 

tion,  let  BA,TA  be  such  that  A{t,j]  =  0  unless  BA  —  j  ^  TA.  It  can  be  shown  for 
band  matrices  that 


^y+  ![,•  k]  =  ^  (i-  ^  <  ba) 

lA>^[t,A:]  —  L[i,j[  X  Ul3,k\,  otherwise 


The  form  of  computation  on  A  suggests  matrix  multiplication.  Hence,  we  attempt  using 
the  invariant  for  matrix  multiplication,  with  variables  suitably  renamed  for  this 
problem.  In  the  following  invariant  we  have  constrained  certain  indices  because  L  is  a 
lower  diagonal  and  U  an  upper  diagonal  matrix. 


Invariant: 


t  =  i  +  j-\-  k  =» 
i(y>o,<>j,*>j 
U>0,i>i,k>j 
(«•  >0,k>0,i>j,k>j 


and 

and 


1 


As  before,  we  give  initial  conditions  satisfying  the  invariant  and  show  how  to 
preserve  the  invariant  when  t  is  increased  by  1.  The  major  difference  from  matrix  mul¬ 
tiplication  is  that  L,f/,  unlike  matrix  multiplication,  are  not  available  initially  and  have 
to  be  computed. 


4.1.  Initial  Conditions 

For  t  =  0,  the  first  two  conditions  in  the  invariant  are  vacuotisly  satisfied  because 
there  are  no  t  j,ib  satisfying  these  conditions.  The  last  condition,  for  any  »  >  0,  >  0, 

can  be  satisfied  by  letting  j=  —  (t  +  it)  and  hence, 

2^2* -I- it,  -»-2itj=A<>(t,itl  =  A(t,it]  {since i<0} 


4.2.  Preserving  the  Invariant 

As  before,  we  use 

vzssi  —  j  and  w  =  j—k. 


It  follows  from  the  invariant  that  we  need  only  consider  the  cases  for  v  >  0  and  w  <  0. 

4.2.1.  Preserving  the  first  condition  in  the  invariant 
We  now  consider  preservation  of, 

t^i  +  j+k  and  j  >  0,  t  >  j,  k>  j  =» 

=  L[iJ\. 


For  any  ij,t  where  i  >j>0  and  t  >  » -I-  2j :  there  is  some  (v,w),  v  >  0,  in  <  0  such 
that,  X\v,'w\  =  L[t  j]. 


12 


We  now  ask  ourselves  how  this  requirement  is  to  be  met.  If  t  >  t  +  2j,  L[iJ\  has 
already  been  computed  and  has  to  be  assigned  to  the  proper  Xlvytu].  If  t  =  t  +  2j\  then 
is  to  be  computed  and  assigned  to  the  appropriate  X\v,w\. 

Case  1)  t>i  +  2j  {equivalently,  w  <  0}; 

Then,  X|v,u;]  = 

The  invariant  is  preserved  by: 

Case  2)  t  =  i  +  2j  {equivalently,  w  =  0}: 

The  invariant  is  preserved  by  computing  L[t  J]  according  to  its  defining  equation 
and  then  assigning  it  to  the  proper  variable. 

At  the  following  step,  i.e.,  the  {t  +  1)*^  step,  the  only  k  satisfying 

t  +  1  =  t+j  +  A: 

is  A:  =  i+  1. 

Hence  at  this  step  we  must  have 
X{v,  -  1]  =  L[iJ\ 
substituting  for  L[iJ\: 

X{v,-l]:={L[iJ\  =  }AJ[xJ\/Uyj\  ift>i  ~  1  if»=j. 

From  the  invariant,  at  t  =  t  +  2j,  A^[t  =  Z[i  —  y,0]. 

Also,  at  t  =  t  +  2j  {»  >j,k  =  ]),  U\jJ[  =  Y\%  -  y,0). 

Hence,  the  following  assignment  preserves  the  invariant  {t  >  j  is  rewritten  as  v  >  0}: 
X[v,  —  1]  :=  Z[v,0\l'Y[v,0\  if  t;  >  0  ~  1  if  v  =  0. 


'tw;' 


mwmm 


13 


& 


I 


f. 


fr*; 


I 

I 


4.2.2.  Preserving  the  second  condition  in  the  invariant 
By  similar  reasoning  we  identify  two  cases. 

Case  1)  t>2j+  k  {equivalently  v  >  0}: 

y[v  + 1,  tw]  ;= 

Case  2)  t=^2j+  k  {equivalently  v  =  0}: 

Y[hw]:=A%k] 

At  t  =s  2j  +  k,  A^\j,k]  =  Z[0,  j—  ifc].  Hence, 
y{l,u;]  :s  ZlOjU;] 


4.2.3.  Preserving  the  third  condition  in  the  invariant 
From  the  equations, 


^y+  iL-  u  _  ~  i  >  O'*  k<BA  ^ 

~L(tv;]xC/[y,A:j,  otherwise 

By  similar  arguments  we  derive  the  following  assignment  to  preserve  the  invariant. 

f  Z[VfW\  if  V  > 

Zlt;-l,u;+l]:='^  ‘  ' 

kZ[v^v}\  —  X[v,% 


\Z[v^w\  \tv>  TA  or  w  <  BA  ~ 

,u;|  XY{v,ti;j  if  u  <  TA  and  w  >  BA 


Program  P2  {L-U  decomposition  of  a  band  matrix} 


initially  :  t  =  0, 

( for  all  t  >  0,  it  >  0  :  Z(2t  +  it,  —  *  —  2ib]  =  ) 

amign  :  (  for  all  v,w:: 

(II  iw— 1]  :=  if  in  <  0  ~  Z[t;,0]/Ylt;,0]  if  u;  =  0  and  V  >  0 

~  1  if  ti;  *  0  and  v  =  0 

II  Ylv  +  1,  tw]  :=  if  V  >  0  ^ —  Z[0,w]  if  v  =  0 

II  Z[v  —  1,  tu  +  1)  :=  Z[v,w]  —  X  YIv,«;]  if  v  <  7Vl  and  w  >  BA 

—  Z[u,w\  if  V  >  2H  or  ty  <  BA  ) 

if  t  ss  (v  —  ty)  mod  3  ) 

II  t  :=  t  +  1 

end  {P2} 


5.  Discussion 

Programs  PI,  P2  capture  the  essence  of  the  algorithms  given  in  (1]  for  the  cor¬ 
responding  problems.  The  multiple  assignment  statement  in  each  program  can  be  im¬ 
plemented  by  associating  a  node  with  each  (v,ty)  and  carrying  out  the  operations  in  each 
step  as  given  by  the  algorithm.  The  algorithm  tells  us  that  node  v,ty  accepts  inputs 
along  Jr(v,ty],  Y|v,ty],  Z[v,w]  and  produces  results  along  Jr|v,ty— 1],  y|v-i-l,ty]  and 
Zfv— l,ty+l]  in  each  step  t,  where  t^{y—w)  mod  3.  Some  ingenious  optimizations 
have  been  applied  in  [l]  so  that  only  one  kind  of  node  -  that  receives  three  values  A,B,C 
and  computes  A -h  BXC  -  may  be  used  almost  completely  throughout  the  systolic  array. 

This  work  is  part  of  an  ongoing  project  called  UNITY  [2,3,4]  to  provide  a  unified 
framework  for  the  development  of  sequential,  parallel  and  distributed  programs.  A 
thesis  of  UNITY  b  that  early  stages  of  program  design  should  not  be  concerned  with  ar¬ 
chitectural  and  programming  language  issues:  these  concerns  are  appropriate  only  for 
later  stages  of  design.  Another  thesis  is  that  diverse  applications  -  ranging  from  VLSI 
algorithms  to  communication  protocols,  from  command  and  control  systems  to  spread¬ 
sheets  -  are  programs  and  amenable  to  a  common  design  strategy.  UNITY  has  yet  to 
give  conclusive  proof  of  these  theses  -  but  we  are  hopeful. 

VLSI  implementations  require  considerably  more  than  an  algorithmic  description. 
We  have  only  addressed  concerns  dealing  with  correctness  arguments  SHtl  systematic 
program  development.  It  is  straight-forward  to  map  our  programs  to  circuits  with 


15 


limited  fan-in  and  where  each  line  is  directed  from  one  node  to  one  node.  However,  not 
all  such  circuits  can  be  implemented  in  VLSI. 


6.  References 

1.  H.  T.  Kung  and  Charles  E.  Leiserson,  "Algorithms  for  VLSI  Processor 
Arrays,"  (Section  8.3)  Introduction  to  VLSI  Systems,  (ed.  Mead  and 
Conway),  Addison- Wesley  Publishing  Company,  1080. 

2.  K.  M.  Chandy,  "Concurrency  for  the  Masses",  Invited  Address:  Third  An¬ 
nual  ACM  Symposium  on  Principles  of  Distributed  Computing,  August  1984, 
Vancouver,  Canada,  (appeared  in  Proceedings  of  Fourth  Annual  ACM  Sym¬ 
posium  on  Principles  of  Distributed  Computing,  1085. 

3.  K.  M.  Chandy  and  J.  Misra,  "An  Example  of  Stepwise  Refinement  of  Dis¬ 
tributed  Programs:  Quiescence  Detection,"  to  appear  in  ACM  Transactions 
on  Programming  Languages  and  Systems. 

4.  K.  M.  Chandy  and  J.  Misra,  "Programming  and  Parallelism:  The  Proper 
Perspective",  Research  Report,  Computer  Sciences  Department,  University 
of  Texas,  November  1085. 

5.  C.  Leiserson,  F.  Rose,  and  J.  Saxe,  "Optimizing  Synchronous  Circuitry  by 
Retiming",  Third  Calttch  Conference  on  VLSI,  (ed.  R.  Bryant),  California 
Institute  of  Technology,  March  1083,  pp.  87-115. 

6.  G.  J.  Li,  And  B.  W.  Wah,  "The  Demgn  of  Optimal  Systolic  Arrays",  IEEE 
IVansactions  on  Computers,  C-S4,  No.  1,  January  1085,  pp.  65-77. 

7.  Marina  C.  Chen,  "A  Parallel  Language  and  its  Compilation  to  Multiproces¬ 
sor  Machines  or  VLSI",  Research  Report,  Yale  University,  DCS-RR-432,  Oc¬ 
tober  1085. 

8.  Marina  C.  Chen,  "The  Generation  of  a  Class  of  Multipliers:  A  Synthesis 
Approach  to  the  Design  of  Highly  Parallel  Algorithms  in  VLSI",  Research 
Report,  Yale  University,  DCS-RR-442,  December  1985. 


